Hybrid cryptographic approach to enhance the mode of key management system in cloud environment

Abstract

Cloud computing has gained great attention among the individual user and the organization. Transitioning to the cloud platform is not simple as it involves various cybersecurity and operational issues. Due to a large amount of data storage in the cloud, ensuring the security of the data outsourced in the cloud is highly important. A Key Management System (KMS) is a secure data protection method that is commonly used in e-healthcare information systems, information security (confidentiality, integrity, authenticity), large-scale organizations, architecture security, sensor security, identity management, access control (privacy preservation), identity proofing (authentication), and legal issues. Because this approach allows the secret key information to be exchanged safely, the security level may be guaranteed to be high. Using a random prime number, a master secret key, and a parameter value, one can generate a secure key that is difficult for hackers to break. Secure data transfer with exact and consistent authentication is the goal of this new approach. This research focuses on the development of secure secret key creation and the improvement in secure key sharing. To generate the key (in the form of a QR code), we have used an asymmetric Elliptic Curve Cryptography (ECC) method, whereas encryption and decryption of data have been done by a hybrid of Advanced Encryption Standard (AES) and ECC cryptography. The hybrid ECC-AES model was found to take less amount of time than the AES model and other existing models. Current algorithms have certain security issues, such as vulnerability to plaintext attacks, brute force attacks, side-channel attacks, and computational complexity. The proposed algorithm has been able to overcome the issue of key exchange that plagues AES, simpler than ECC and more reliable than AES. As a result, KMS has been designed to provide high levels of security for healthcare information. We have proposed a Hybrid Cryptographic Approach to enhance the Mode of Key Management System (HCA-KMS) in a Cloud Environment based on authenticated encryption with AES and ECC. The proposed algorithm has been compared to existing methods concerning confidentiality, integrity, time complexity, storage overhead, resource utilization, security, and log time to demonstrate its efficacy. The proposed HCA-KMS has time complexity, encryption time (O (n)), and decryption time (O (logn)).

1 Introduction

In the cloud, security is of the utmost importance. Cryptography algorithms are used to protect the confidentiality of data. On a cloud storage system, data are stored and backed up in the cloud, and then made accessible to users over a network. The cloud service provider (CSP) is only responsible for maintaining, monitoring, and controlling the data once the data have been outsourced to the cloud. Using cloud services, you can access software and hardware that is hosted and maintained by a third party at a different location [1]. Online file storage, social networking, e-mail, and commercial applications are all examples of cloud services. Anywhere with an Internet connection, the user can utilize the cloud computing approach to access data and computer resources. Data storage, networks, computer processing power, and specific corporate and consumer applications are all part of the cloud computing service.

Most cloud service providers offer data storage, which allows users to access their data from any mobile device. As a result, there is a substantial chance that any device is able to access the contents stored there. Data files (such as business plans and other confidential documents) stored in the cloud that needs to be shared only with those who should have access are vulnerable to attacks entirely trusted when saved on cloud servers operated by the cloud providers [2]. When it comes to protecting data privacy, the simplest method of doing so is to encrypt the files and then transfer them to the cloud.

In terms of cloud security concerns, data security is the most important one to be taken care of. There are two types of cloud security: data at rest and data in transit [3]. When enterprises migrate data into the cloud, both types of security are required. A wide range of cloud data types exists, including user identity data, audit data, temporary runtime data, application data, and so on. Based on the nature of the data, the level of protection required varies [4]. Secure data, such as user records, necessitate high levels of protection. In most cases, a user's name and password are all that is required for privacy assurance. The user's level of security concerns varies depending on the type of data. Figure 1 depicts the data security architecture of the cloud system.

Fig. 1

Key management scheme in a Cloud environment

Issues with cloud data security include authentication, confidentiality, integrity, and scaling of keys (CSA 2009). Because of the multiple tenants, remote data storage, third-party cloud providers, and huge data sharing that cloud computing entails, data in the cloud must be kept private and secure. If you want to keep our personal information private, one must encrypt all of their data [5,6,7,8,9,10,11,12]. The distribution of keys and the upgrading of encryption and decryption keys are the two most difficult aspects of encryption. There must be no tampering with the data at rest or in transit to ensure that it is secure. Data integrity must be checked both during transit and when stored in the cloud when users outsource their data. Cloud storage means that the data are more vulnerable to change by anyone who accesses it. Third-party audits and dynamic data are required to ensure the integrity of the system.

Although technology experts have explored a variety of methods for safeguarding data transfer, data encryption is the most widely used and effective method. The data are "scrambled" by encryption so that it cannot be read by someone who is not intended to read it. Data encryption entails converting information into a form that only licensed individuals with a decryption key will be able to read. Before encryption, data are referred to as plaintext, whereas after encryption, data are referred to as cipher text. Data encryption is done on purpose to protect confidential information while it is stored or transferred from one system to another. Encryption methods include Asymmetric Encryption and Symmetric Encryption. One encrypts the data with a symmetric key, while the other encrypts the data with an asymmetric key. In symmetric-key cryptography, the data are encoded and decoded using the same key, whereas, in asymmetric-key cryptography, the data are decoded and encoded using two distinct keys. Both mechanisms have their advantages and disadvantages. The symmetric-key technique has the advantage of being rapid and easy to use. The asymmetric encryption method is a low-cost, high-efficiency strategy for securing data and uses a single safe key; therefore, it is less secure. Asymmetric algorithms, on the contrary, are sluggish and complicated, but they deliver an enhanced level of security. Two in-demand symmetric algorithms are Data Encryption Standard (DES) and Advanced Encryption Standard (AES) [13, 14]. Asymmetric-key cryptography, sometimes known as public-key cryptography, is a type of symmetric-key encryption, which encrypts and decrypts messages using unique keys. RSA, Elliptic Curve Cryptography (ECC)-based Elliptic Curve Digital Signature Algorithm (ECDSA) and the Elliptic Curve Digital Signature (ECDH) Algorithm are an examples of asymmetric encryption methods. ECC is also used in Diffie Hellman [15,16,17,18]. As a result, combining symmetric and asymmetric encryption algorithms can be one of the best potential solutions for encryption. As a result, hybrid (HCA-KMS) cryptography has been proposed in this work to ensure data security. Weak security protocols can result in the loss of major, confidential and sensitive data in different KMS applications. Data loss that cannot be recovered may occur in a worst-case scenario due to a security attack on the information. There are other consequences of weak security controls, such as high-risk network and busy server congestion, loss of user confidence, and high cost of recovery.

Data storage is the practice of making the records of an object, such as a corporation or organization, available for access and maintenance via a distributed network of cloud services that are linked to one another. The method of encryption is an essential component of the core data security strategy, and it plays an important part in the process of keeping secure contact across networks that are both consistent and scattered because the encryption method disordered the data to keep it protected by retaining "the secret." The operative of the communicator just needs a key to decrypt the data. The symmetric-key encoding method and the asymmetric-key encoding method are both used in verification procedures. During a symmetric-key encoding process, just one key is mandatory to execute both the encoding and decrypting of the data. When using asymmetric-key encryption, it is common to practice making use of two keys. Both the private key and public key are equally significant. The public key method is used for encoding the cipher text data. A second private key is obligatory to decode the information. The security of cloud computing is ensured by retaining a wide array of known and tested procedures. Cloud storing is a centralized database system tool that allows anyone to share information, substructure, and information through the Internet. Verification, anonymity, and integrity are just a few of the security concerns. Data encryption is commonly used to protect and secure data transmitted over the Internet. Several algorithms have been created to secure data and prevent hackers or offenders from exchanging information over the Internet. In this research, an HCA-KMS for the current authentication technique is proposed with an automatic key group utilizing a genetic procedure to improve the security of cloud services. According to the results, the proposed technique works well in terms of setup, encrypt, decrypting, key generation, extract, as well as provides high levels of security for healthcare parameters i.e., log time, storage overhead, security with cloud users, and resource utilization rate, integrity, and confidentiality for files ranging in size from 100 to 1000 KB.

The main contribution of this paper is threefold:

• The AES has been modified to give better results with the help of a function (as mentioned in Sect. 3.2.1).

• The ECC has been used for decryption which incorporates the decoding function for the QR code (as mentioned in Sect. 3.2.1).

• HCA-KMS provides flexibility in terms of data file type being used for encryption and decryption before uploading the file to the cloud environment. The proposed algorithm’s distinctive feature is that it allows us to encrypt any extension file into any other extension and then decrypt it to retrieve the original extension file. Every encrypted file also has a special QR code attached to it, making it impossible for a third party to decrypt the file without a QR code.

The rest of the paper is organized in the following manner. Section 2 presents a literature review of the existing work done regarding the key generation methods. Section 3 explains the existing methodology for secure data sharing and discusses the proposed methodology (HCA-KMS) for secure data sharing in a cloud environment; key assignment in the key aggregate cryptosystem which explains with the help of the private weighted sum aggregation process. Results and comparative analysis is presented in Sect. 4. Finally, Sect. 5 explains the results and is followed by the conclusion of the paper.

2 Literature review

In recent times, the arrangement of edge gadgets, from sensors and actuators to laptops and smartphones, has been rising every day globally. When such gadgets provide connectivity and a few kinds of smart applications, the complete system is termed as Internet of Things (IoT). A primary advantage of IoT is its capability to enhance original services using wide transmission along with that processing capacity and high data collection. The envisioned demand for high data collection capacity imposes IoT to rest on cloud computing (CC) for guaranteeing adequate data processing as well as required. CC [19] simplifies on-demand accessibility to a shared collection of capital, intending to allow huge storage or high processing capabilities [20]. However, CC cannot be regarded as a viable design for services with strict requirements concerning, for instance, latency for reliable e-health services or instant decision-making procedures in the industry [21]. Providing support to the security zone, authentication and key distribution are initial methods for providing secure integrity and transmission in a system.

Shanmuga Priya et al. [22] provided an improved method to the widely used information security model in the cloud. For user authentication, the proposed information safety model incorporates the group of OTPs using a Hash-based message verification code (HMAC). This study also contains a comparison of MDS5 and SHA algorithms for better performance of systems applications. This perfect is best for any of the coatings in it, and the authors do this by employing encryption methods that convert original material into a format that is incomprehensible to a third party. The proposed paradigm by Neela, K. L. et al. [23] is based on a decentralized architecture that is independent of any third-party scheme. The data security in this architecture can be improved by applying the cyclic shift transposition procedure. The authors have employed a rapid response code and a hash-based timestamp for safe data transmission and retrieval, preventing real-time assaults.

A Huffman code-based approach has been used to manage group keys as outlined in [24]. The TV channels can only be viewed by approved subscribers. The usage of Fast Fourier transforms and Euclidian techniques reduces the overall computing time. When users leave known operations, this method works well; when they leave unpredictable operations, it does not.

In [4], the authors have proposed a new way to distribute keys: via a proxy re-encryption mechanism. Even from the cloud provider, the data have been kept private by the writers. Data stored in the cloud are encrypted using a re-encryption key, which is then transmitted to the newly joined user by the cloud provider. The user gets the group key after applying decryption on receiving end. Assuming only a partially trusted server, the security level is relatively high. As a result, the revocation of the user's access to re-encryption keys and the production of new group and re-encryption keys is computationally costly.

In the proposed Certificateless Public Key Cryptography (CL PKC) [8], a third-party Key Generation Center (KGC) helps the user generate the key pair. The KGC does not have access to the user's private keys; therefore, they are safeguarded. CL-safety, PKC's on the other hand, is dependent on the KGC, and the secure channel is used to communicate.

As proposed in [25], a Cloud Key Management Client and a Cloud Key Management Server are employed in the Cloud Key Management Infrastructure (CKMI). Keys, operations on keys, and attributes stated on the keys are all part of a new key management system that has been proposed. If the CKMS fails, all of the data stored are destroyed without an appropriate backup or recovery strategy in place.

[26, 27] ECC is utilized for the encrypting and decrypting of data to deliver safe and effective services to a wide variety of users. To encrypt and decrypt data, the layered approach with two parts is utilized. The initial segment is made up of very small sections, which are used for lowering the size of the keys and adding extra bits to the process of encrypting the data. This makes it possible to gain access to information more quickly. PO through Pn is the elliptical curves that are utilized for the data encryption process in the first layer. In contrast, the elliptical curves that are utilized for the data encryption process in the second layer are divided into two groups. The processes of encrypting and decrypting the data both require all of these steps to be completed successfully. These two stages ensure that the data are secure. Data loss and security concerns have surfaced as a direct outcome of the approaches that came before them. ECC is used to mitigate the impact of these vulnerabilities by securing the data and preventing it from being compromised for unethical purposes. Data security and augmentation of bigger datasets may be accomplished quickly and simply with this asymmetric cryptography technology, allowing for the provision of security services to be provided more quickly. ECC enables the two operations, i.e., accessing and securing data using cloud computing at the same time.

The strategies that were used by Chander Kant [28] to comprise the classification of data rendering are compassion and significance. This was followed using a diversity of cryptography methods, such as AES (which is a technique for symmetric cryptography), SHA-1 (which is a technique for hashing), and ECC (which is a method for elliptical bend cryptoanalysis) (an Asymmetric Cryptography technique). Most authors have used a single essential for both encoding and decoding from the dawn of time, leaving them vulnerable to a multitude of catastrophic attacks. This practice has been in place since the beginning of time. As a result, the hybrid technique requires the use of two distinct solutions for an individual encoding and decoding operation that is performed.

An ECC-based technique was proposed in a study that Manish Kumar et al. published [29]. This strategy was intended to improve the efficiency of DNA encoding. The RGB image is first encoded using DNA encoding, and then, it is encoded using an asymmetric encryption method that is based on the Diffie–Hellman key exchange. The photo is protected by encryption so that no one can make a copy of it using elliptic curve Diffie–Hellman (ECDHE). To evaluate the effectiveness of the suggested method, it is applied to a conventional sample collection of test images. In this study, key spaces, key sensitivity, and statistical analysis are all taken into consideration [30]. In the study, R. Balasubramanian et al. looked at the value that was obtained by multiplying two real-valued multiplicative purposes that had different inputs. This method determines the predictable number of primes in such a way that after a chance elliptical bend ended rationales have been abridged ended these primes. The resulting curve has N points, which is the same as the number of opinions on the random elliptical curve. A planning-enabled intermediary encryption solution was presented by Vijayakumar, V., et al. [31] to address the concerns regarding the level of security. Using this approach, a duly authorized agent will have restricted access to the documents for a period that has been set in advance. This strategy makes use of both a searchable encryption method and a technique known as proxy Re-encryption.

The AKM-IoV secure authenticated key management protocol was proposed by Wazid et al. [32] for use in loV placement that is associated with fog computing. After IoV transmitting entities have completed mutual authentication inside the AKM-IoV that has been configured, they create session keys for use in secure data transfers. Miao et al. [33] provide an outsourced Hybrid Keyword-Field Search on encoded data with effective Keys Management (HKFS-KM) technique by using a keyed hash tree and a suitable score function. This technique searches for keywords and fields simultaneously on encoded data. To address the vulnerabilities in the protocol's security that Shen et al. found, Park et al. [34] presented a key agreement mechanism for V2G in SIoT that is dynamic, protects users’ privacy, and uses a minimal quantity of capital. The proposed protocol offers protection against many different categories of attacks, such as trace attacks and impersonation. It also guarantees anonymity, session key safety against man-in-the-middle attacks, replay secure mutual authentication, offline password guessing, and perfect forward secrecy.

However, as shown in Table 1, the majority of KMP protocols are vulnerable to a variety of security threats such as User Anonymity (UA), Ephemeral Secret Leakage (ESL), Denial-of-Service (DoS), Privilege Insider (PI), Password/Biometric Change (PBC), User Impersonation (UI), Device Impersonation (DI), Man-In-The-Middle (MITM), Stolen Smart Device/Card (SSD/SSC), and Password Guessing are just a few examples (PG). We propose an HCA-KMS based on authenticated encryption with AES and Elliptic Curve Cryptography in this work (ECC).

Table 1 A summary of the key management protocols (KMP) involved

Figure 2 illustrates how data integrity preservation and secure data sharing in the public cloud are accomplished in. The key generation in this proposed obfuscation approach is not regarded to be a separate process because the key is retrieved from the plain text that is being obfuscated [24]. The key for ciphering the plain text before this one is generated from the plain text before this one. To find the most essential terms in a text, it is vital to incorporate this language processing technology. Their primary goal is to avoid using a repeating key, such as the one used in the Vigenere cipher.

Fig. 2

Existing methodology for secure data sharing [24]

The full text was chunked into characters using a language processing technique, to avoid pressing the same key twice. In the case of plain text, each ten-word block is classified as a segment, and the full plain text is broken down into individual words [25, 60,61,62,63]. The first five words of a segment have been encrypted with the help of the five words. If we compare the lengths of characters, we may observe that they are not all created equal, as previously said. In these instances, the approach of repeated keys developed by Vigenere has been employed.

Under the contributory key management strategy, each member of the group makes a small contribution to the establishment of the group's key. These fundamental management strategies can be implemented using both non-tree models and tree-based models, depending on the situation [64]. Tree-based models are frequently encountered in the literature on GKM. In the case of tree-based models, each leaf represents a user, and every leaf-to-root node represents an auxiliary key for that individual. The design of the structure includes a hierarchy among its constituent pieces, which is inherent in its construction. By arranging keys logically, a simple rekeying procedure can be achieved.

When a person joins or departs an organization, a new key must be supplied to all of the organization's members. In GKM, this is accomplished by the distribution of new keys. According to academic literature, hierarchical tree structures are used to manage and distribute keys to keep track of who has what [65]. A technique for key management is given that makes use of a compressed binary tree to address the task at hand. Because of its capacity to address the core problem of key management scalability, the proposed Cryptographically Transferred General Key Management (CTGKD) technique is ideal for cloud systems with a large number of users. Communication, processing, and key distribution costs are all decreased as a result of the CTGKD technique's implementation. This is a win–win situation. GC is originally employed to construct a tree-based group in which it serves as the root node. Those who join the group are automatically inserted as the left child if their user id begins with zero or one, respectively, and as the right child otherwise. It is necessary to address the user's departure from the group by removing him or her from the group and finishing the key updating operation.

3 Proposal for enhancement of KMS

Using the Internet and a remote server, cloud computing has exploded in popularity as a means of storing and accessing data. Physical resources are not owned by clients, but rather are leased from a third party. The most common methods for managing users and keys are user setup, key development, expiration, and destruction. Businesses are concerned about data security because of the amount of sensitive information they send over the Internet [66,67,68,69,70,71]. Any system that deals with cryptographic keys can be said to be using this term. It entails the creation, distribution, processing, and use, as well as the destruction and replacement of keys during crypto shredding. Cryptographic protocols, key servers, client procedures, and other related protocols are all included in this. Users or systems may share keys at the user or system level. In contrast to key preparation, which relates to the management of keys in the cipher's internal functioning, this is not the case here. The safety of a cryptosystem depends on its ability to effectively manage its keys. Rather than relying solely on computation, cryptography encompasses features of social technology such as system processes, user training, organizational and departmental interactions, and so on.

Protecting sensitive and private information from unauthorized access is part of security. To ensure the safety of the data, it must be kept confidential, protected from unauthorized access, and limited in integrity so that only authorized individuals to have access to it when it is needed (availability). The discovery of key cryptography in the field of cryptography appears to be ground-breaking. Key cryptography can be used for both encryption and secrecy [72]. Public key cryptography, such as RSA, is one such method.

New and improved public-key cryptography key management systems have been proposed. This method encrypts the data using the user's key and then uploads it to the cloud, making it secure. To make the KMS (Secure Key Management System) highly secure, the encryption (E) and decryption (D) processes rely on key creation. In contrast with standard key management systems, KMS cryptanalysis employs a time-consuming method of analyzing keys.

Figure 3 depicts the HCA-KMS, the proposed methodology for secure data sharing in a cloud environment. In the proposed methodology, the user first encrypts the file using the proposed HCA-KMS. After the successful encryption of the file, a QR code is generated and sent to the registered email address of the existing user. Then, the encrypted file is uploaded to the cloud for the client and a link of the same is shared with the client along with the generated QR code in the.png extension which acts as the KeyGen for the decryption of the file. An HCA algorithm-based encryption process is shown in Fig. 3a in which a file (of any format) has been uploaded using a proposed algorithm to be encrypted. A QR code is generated at the time of the decryption process in the form of KeyGen by which a file of any format is successfully decrypted using the proposed HCA algorithm (as shown in Fig. 3b). From the perspective of implementation, a block diagram of secure data sharing in a cloud environment is depicted in Fig. 4. Figure 5 shows the encryption process using the HCA algorithm while the decryption process is shown in Fig. 5. Before encrypting the file, double-check the file's format to validate the experiment's findings. The file can be opened with ease before encryption, but it cannot be opened after encryption. Similarly, utilizing the proposed algorithm to decrypt the encrypting file will yield the identical original file (Fig. 6).

Fig. 3

HCA-KMS a proposed methodology for secure data sharing in a cloud environment a: encrypted data using HCA, b: decrypted data using HCA

Fig. 4

Block diagram of proposed secure data sharing in a cloud environment

Fig. 5

HCA algorithm-based encryption process

Fig. 6

HCA algorithm-based decryption process

3.1 Phase of proposed HCA-KMS

Different phases (i.e., setup, encrypt, keygen, decrypt, and extract) of the proposed HCA-KMS are incorporated in Fig. 3. A description of the same is given below:

1. a.

   Setup (N, 1ⁿ): The data owner or cloud server (Cloud Server 1, Cloud Server 2, …. Cloud Server n) runs this algorithm first. It outputs the public parameters when given a security parameter 1ⁿ and the number of files N.

2. b.

   Encrypt (Pub_k, i, w, Select file(), Encrypt_file(), Encrypting(), Qr_Manage()): The data owner is in charge of this algorithm. It generates the keyword ciphertext (Ci) for each file index (i) and keyword (w).

3. c.

   KeyGen: The data owner uses this procedure to generate one pair (public_key, Master_key), which consists of a public key and a master key.

4. d.

   Decrypt (Priv_Key, Choose file(), Select _ qr(), Decrypting(), decrypt_text()): Trust evaluator received the decrypted file from the cloud environment with the help of a QR code.

5. e.

   Extract (Pub_k, Master_Key, Files_S): The data owner is in charge of this algorithm. It generates the aggregate key KS from the data owner's pub_key master_key and a set S of file indices. The data owner then sends the authorized user the aggregate key KS and the set S.

Steps a, b, and c are contemplated with the help of enhanced AES which incorporates a function for QR code generation (DesfQr_manage (string) referred from a subsection of 3.2.1). The steps d and e have been carried out with the help of an enhanced ECC algorithm which incorporates the function for decoding the QR code.

3.2 Encryption and decryption mode of HCA-KMS

A cryptographic key management system, commonly known as the Key Management Method (KMS), is an automated system for creating, transmitting, and preserving cryptographic key management schemes (CKMS). Everything from key creation to key exchange to consumer processing is handled securely in this system. In a KMS, not only are the back-end functions of generating and delivering keys contained, but so are the user's capabilities for injecting, storing, and altering device keys. Scalability, protection, dependability, diversity, and governance are just a few of the issues that IT departments must deal with while trying to manage and preserve their encryption keys. Whether you're securing your home or your information, a key is a vital component of any security strategy. The encryption key can be used to protect sensitive information from being accessed by other users. If the application has a large number of users, the key management system must generate and distribute a unique key for each user [73]. To effectively manage a key, a variety of strategies and approaches can be used to achieve success. Basic principles of cloud governance have been broadly established in recent years.

For private weighted sum aggregation using secret weights and secret information, this paper addresses the problem of aggregator programs that attempt to compute the weighted sum of local data for a collection of agents. Based on the literature review, we analyzed an existing method for private weighted sum aggregation and then offer a unified strategy. Hopefully, you have found this paper helpful in choosing the best solution for your knowledge dissemination and privacy needs. In Fig. 7, the private weighted sum aggregation process is shown.

Fig. 7

Private weighted sum aggregation process

Cryptographic keys are generated, stored, and exchanged through key management. Ensure that this is done safely to avoid assaults like the man-in-the-middle attack [66]. Symmetric and asymmetric encryption is orthogonal to key management [74]. It is anticipated that cryptographic key management is implemented and integrated, which means that the keys are assumed to be safely kept, retrieved, and used.

Because encryption prevents unwanted access to the original information and prevents it from being seen by others, it provides security. The encryption algorithm relies on computational complexity, making it nearly impossible to decipher. As a countermeasure to specific dangers, encryption and key management techniques are not a panacea for data security, but they can be considered acceptable in some instances anyhow. Encryption can assist both the consumer and the service provider keep their data safe in the cloud. Aside from that, encryption is frequently mandated by law or may be useful to comply with it. Although encryption does not prevent data from being lost or compromised in and of itself, the concept of encryption makes it considerably more difficult for anyone other than the intended recipient to make use of the data in any manner.

Key management issues must also be taken into account when contemplating the encryption process in order to ensure that the keys utilized are not compromised. Mobile devices used to access the cloud often go missing, putting the security of any keys stored on them at risk. This is especially true if keys are saved on those devices. When dealing with key management issues, it is necessary to evaluate the keys' whole life cycle, from the time they are created until they are no longer needed to protect the data they protect. Key management and associated concerns will be covered in this paper. Cryptosystems use a process called "key management" to regulate all aspects of keys, from creation to destruction. It has several safeguards and protocols in place to ensure that only authorized personnel have access to the keys at all times. The most difficult component of cryptography, however, is "key management." Key management policies must be in place to ensure that data encryption operations are safe and secure [75].

A new type of public-key encryption called KMS is introduced. Messages are encrypted in KMS not just with a public key, but also with a ciphertext identity known as a class. The key owner is the sole holder of a master secret key, which is what it is called. For different classes, it can be used to extract secret keys. Class-specific aggregate keys match extracted keys that may be secret keys for the class in question. Large numbers of such keys are at its disposal. However, the decryption power for any subset of ciphertext classes is multiplied by the power of multiple such keys. A key assignment is a key aggregate cryptosystem as shown in Fig. 8.

Fig. 8

Key assignment is a key aggregate cryptosystem

The following steps are considered for executing the KMS Encryption.

Step 1: In setup, the data owner sets the public system parameter that is accessible to all users.

Step 2: KeyGen is used to create a public and a master secret key pair.

Step 3: Emails are protected by Encrypts security measures.

Step 4: The plaintext communication that is to be encrypted is referred to as ciphertext.

Step 5: This decryption key is generated by extracting a set of ciphertext classes and the owner's master secret.

Step 6: A secure email or secure channel is used to distribute the generated keys to delegates.

Step 7: It is possible to decrypt any ciphertext with an aggregate key, provided the ciphertexts class is included in the aggregate key.

Step 8: Aggregation of ciphertext is calculated using the mentioned key management system algorithm.

Step 9: Authenticate the authentic user using the aggregation of signature.

Step 10: After getting the authenticated user, verify the user by using the verification process.

Step 11: The algorithm terminates or stops, once all the steps are successfully executed.

Following is the algorithm for the proposed HCA-KMS strategies:

The proposed algorithm takes up the following:

• The pseudo-code generates a class encryption, which the user can use to encrypt data using an encryption method. The proposed algorithm is also known as a digest algorithm, which digests the data input from the user and generates key-based data content. A key (qr code) is used to generate the decryption and it is received from the key generation and management service. Users are not required to keep the key on them. They can securely delete this key.

• The upload query will appear after the successful login process of the user. The user can upload the data in the form of files (of different extensions) by selecting the yes option. By selecting the No option, the user will exit the uploading phase.

3.2.1 Pseudocode of data encryption

The following is the pseudocode for steps a, b, and c in the proposed HCA-KMS provided in 3.1 sub-section.

Class Encryption:

Methods:

• Select file().

• Encrypt_file().

• Encrypting().

• Qr_Manage().

Working of File Selection:

1. 1.

   Set file path = select file()

2. 2.

   Try:

   1. a.

      encrypt_file

   • Except:

   1. b.

      Display Error Of internet or File failure

3. 3.

   Encrypting()

4. 4.

   Qr_manage()

Def Select _file()

1. 1.

   Try:

   1. a.

      Open tkinter file dialog box and choose the path file

   2. b.

      Set path = chosen file

• Except:

• Show error

Def Select _file()

1. 1.

   Try:

   1. a.

      Save_path = Open tkinter file dialog box and get the location for saving the encrypting file.

   2. b.

      Thread = Encrypting()

   3. c.

      Start Thread

2. 2.

   Except:

   1. a.

      Display Error On gui

Def Encrypting()

1. 1.

   File = Open(path)

2. 2.

   Set content = Read file text

3. 3.

   Set encrypt_message = encrypt_text(content)

4. 4.

   Set secret key = Secret_key(encrypt_message[4])

5. 5.

   Try:

   1. a.

      Qr_manage(secret ley)

   2. b.

      File = open(save path)

   3. c.

      Write content to file

   4. d.

      Display Done message on GUI

6. 6.

   Except:

• Display Error Message

Desf Qr_manage(string)

1. 1.

   Qr = Make_Qr(string)

2. 2.

   Save Qr with Security

3. 3.

   Set mail = user-id

4. 4.

   Try:

   1. a.

      Send message(mail,subject,message,Qr)

   2. b.

      Os.remove(Qr)

   3. c.

      Return

5. 5.

   Except:

• Os.remove(Qr)

• Display error

3.2.2 Pseudocode of data decryption

The following is the pseudocode for steps a, b, and c in the proposed HCA-KMS provided in 3.1 sub-section.

Class Decryption:

Methods:

1. 1.

   Choose file()

1. 2.

   Select _ QR()

1. 3.

   Decrypting()

1. 4.

   decrypt_text()

Working of Choose File for Decryption:

1. 1.

   File = Choose_file()

2. 2.

   Qr_path = select_qr()

3. 3.

   Try:

• Decrypting ()

• Except:

• Display Error

Def Choose file ()

1. 1.

   Set File_path = open tkinter file dialog box to take the path of the encrypted file

Def select_Qr()

1. 1.

   Qr_path = open tkinter box to take the Qr image path associated with the encrypted file

Def Decrypting ()

1. 1.

   Thread = Thread(decrypt_text)

2. 2.

   Thread.start()

Def decrypt_text()

1. 1.

   If file_path =  = None

• Display Error

• Display Choose file

1. 2.

   Else if Qr_path =  = None

• Display Error

1. 3.

   Else:

   1. a.

      Try:

   2. b.

      File = Open(file_path)

   3. c.

      Content = file.read()

   4. d.

      Encode content to bytes using ast module

   5. e.

      Content = ast.literal(content)

   6. f.

      Decode the Qr_ code

   7. g.

      Dec = decode(Qr_path)

   8. h.

      Decrypted text = decrypt message(content,Dec)

   9. i.

      File = open tkinter box and ask for saving the file

   10. j.

       Save the decrypted text into the file

2. 4.

   Except:

   1. a.

      Display error

• Display “Unable to decrypt the file”

3.3 Experiments and analysis of the proposed scheme

The experimental results are presented in this section, along with an analysis of the findings. On operating systems (7, 10, 11), Linux, and Mac with Intel i7 pre-processors, minimum processor i3/Rygen 3, and with 30 GB storage and 3 GB < RAM, the proposed technique was implemented in Python version (3.9 and above). The modules of Python used in the implementation process are ast, os, JSON, random, string, threading, kivy, tkinter, data time, QRcode, pyzbar, and PIL.

3.3.1 High levels of security for healthcare information

Patient information like confidentiality, integrity, resource utility, security with respect to cloud users, and log-time comparison is currently the most critical challenges in the healthcare sector for establishing excellent patient care standards. We tested it on a set of healthcare users joining and leaving dynamically and confirmed it by applying it to virtual servers, demonstrating that the healthcare network system's rekeying overhead, threats, and computing cost are decreased when compared to existing schemes. Table 2 depicts the difference in time required to securely communicate information about varying numbers of healthcare users. The relationship is therefore expressed as follows: Number of cloud users (N) Time taken (T) (i.e., N = pT, 0 k1), where p is a smoothing constant and p = N/T.

Table 2 Analysis of proposed HCA-KMS healthcare information without key server approach

Table 3 contains user identity information such as first name (Fn1, Fn2,..F10), last name (Ln1, Ln2,…..LnN) e-mail address, user name, and password. When the number of users exceeds the amount of Umax, the server split is shown in Table 3. Local hosts are used to identify the servers. With Umax = 20 for each server, Table 3 is obtained. As a result, when the 21^st user joins a server's group, the healthcare user is immediately assigned to the next server. Users 1 to 20 are on Server 1 with the local host 8080, and new users are routed to the next server with the local host 8280. Similarly, when users leave the group on a whim, the servers rebalance their workload.

Table 3 Healthcare user details along with master key and virtual server

The data shown in Table 4 show that when the number of healthcare users grows, the time it takes for them to communicate with one another decreases from seconds to milliseconds.

Table 4 Analysis of proposed HCA-KMS healthcare information with key server approach

For patient enrolment in each semantic group, the completeness of sample electronic patient data is computed and summarized in Table 5.

Table 5 Evaluation of the completeness of a sample of electronic patient records after network access

Login verification and encrypted transmission ensure the security of healthcare data. The login file can be used to link a specific person to a given transaction, hence increasing accountability. Furthermore, if the number of users and group size (N groups) grow rapidly, the key server is separated into many virtual key servers for quick access to healthcare data and to improve security in sensitive group communication. The proposed HCA-KMS mitigates the risks to the greatest extent practicable. As a result, the proposed scheme can be organized into a powerful solution that allows for fast, safe access to any type of healthcare network application, such as Telemedicine and Healthcare Informatics. For key generation, encryption, and decryption of healthcare materials, the proposed approach employs a master key encryption algorithm. Furthermore, if the number of users grows rapidly, the key server is split into numerous virtual key servers to provide faster access to healthcare data and to improve the security of the group-organized healthcare network system. The results show that rekeying overhead is lowered while communication time (reduced from seconds to milliseconds) is reduced securely with less time complexity and communication overhead. Surgical treatments are increasingly being performed remotely by physicians. Disturbing this situation could put the patient having the treatment in danger. As a result, the proposed system is compatible with telemedicine and e-healthcare information system correctness and has dependability in providing secure and fast access to patient data.

4 Results and comparative analysis

The results of the experiments are then compared to those of other studies to make sure they are valid. The present approach is matched with a certain parameter's base to arrive at an estimate of research performance. A large amount of security is provided for healthcare information through the proposed enhanced version of KMS. Log time, storage overhead, security of cloud users and resource utilization, integrity, and confidentiality are all factors that are examined when determining performance.

Data sharing is a common use of the key-aggregate cryptosystem. When the delegation is expected to be efficient and adaptable, the key aggregation attribute comes in handy. Using these techniques, a content provider can securely and selectively distribute her material to approved users while maintaining complete control over the ciphertext expansion.

To judge a node that has only interacted with it three times, for example. It may, however, have 100% confidentiality in a goal node with which it has interacted 100 times. We offer a statistical trustworthiness metric. Higher levels of confidence result in higher levels of direct trust; lower levels of confidence need a computation of trust values based on both direct and indirect trust values. The error level influences a node's direct trust calculation for another node. The error between the nodes can be calculated using Eq. 1, where x and y are the variables of \(\gamma\) and c and \(\beta\) are the constant values for p and U.

$$\gamma_{{x,y{ }}} = { }\frac{{\mathop \smallint \nolimits_{{dt_{{x,y^{ + \varepsilon } }} }}^{{{\text{d}}t_{{x,y^{ - \varepsilon } }} }} \left( {1 - p} \right)^{\beta - 1} {\text{d}}p}}{{\mathop \smallint \nolimits_{0}^{1} \cup^{ \propto - 1} \left( {1 - \cup } \right)^{\beta - 1} {\text{d}} \cup }}$$

(1)

4.1 Confidentiality

Figure 9 depicts the results of comparing the methods in practice with the proposed method in terms of secrecy. The X-axis shows the delegation ratio, while the Y-axis shows the confidentiality ratio. The delegation ratio refers to the proportion of delegated cipher text classes to the total number of classes. Dual encryption with an identifier is popular because of the methods proposed in an earlier technique. KMS, a new method for safely transferring keys, does just that. Results from real-world applications show that the KMS methodology delivers maximal confidentiality when compared to GKM methods. Table 6 shows the comparison between the existing GKM methods with the proposed KMS method. The delegation ratio can also be calculated using the below-given equation.

$${\text{Delegation Ratio }}\left( \% \right) \, = \, {{{\text{Discretion}}} \mathord{\left/ {\vphantom {{{\text{Discretion}}} {\left( {1 - {\text{Constraints}}} \right)}}} \right. \kern-\nulldelimiterspace} {\left( {1 - {\text{Constraints}}} \right)}}$$

(2)

Fig. 9

Plot for confidentiality comparison for the existing and proposed method

Table 6 Comparison table for the confidentiality

Discretion means revealing confidential information and constraints means a limitation.

4.2 Integrity

Using Table 7, we compare the proposed methods' integrity values to those of the existing methods. A delegation ratio of 0.9 results in 94.4 percent integrity, according to KMS. Figure 10 depicts the comparison of the current approach's integrity results with those of the new KMS technique. The X-axis shows the ratio of delegated work to total work, and the Y-axis shows secrecy. The delegation ratio refers to the proportion of delegated cipher text classes to the total number of classes. Dual encryption with an identifier is a popular method that has been around for a while. KMS, the technique under consideration, makes use of secret key management. According to practical results, the new KMS approach achieves its maximum integrity in comparison to existing methods.

Table 7 Comparison table for the integrity

Fig. 10

Plot for integrity comparison for existing and proposed method

4.3 Resource utility

A CC environment's resource consumption rate might fall into a variety of different ranges. The resource utilization rate is the ratio of the total amount of assigned resources to the total amount of accessible resources. An important performance metric is directly influenced by the profit or loss of the cloud provider. Accordingly, this part compares the suggested KMS with the present approach to determine which yields the highest rate of parameter resource usage, as shown in Fig. 11. 50–300 additional users are added as a result of an increase in the rate of resource usage. Lower-demand tasks are prioritized over higher-demand tasks, so more high-capacity resources are available to those users. Using Table 8, we have compared the proposed methods' resource utility values to those of the existing methods in terms of task scheduling.

Fig. 11

Plot for resource utility comparison for existing and proposed method

Table 8 Comparison table for the resource utility in terms of task scheduling

4.4 Storage overhead

KMS authentication is lightweight in terms of storage because just the actual files and logs are required to keep track of user information. Further, JAR acts as a compressor, and input files are converted into XML format of the files that it handles. Repeated logging can be seen when a large number of entities are constantly accessing the data. Figure 12 depicts the findings of the second experiment, which focuses on the storage overhead involved in creating a log file. The proposed framework has a storage overhead of 7 percent for 50 cloud users, whereas the existing framework has a storage overhead of 11 percent for 50 cloud users. Table 9 shows the comparison (between the existing with the proposed method) for the storage overhead in terms of users. Memory requirements for GKM 1 {11 + 19 + 26 + 35 + 43 + 55} = 189 bits, GKM 2 {9 + 17 + 24 + 33 + 39.5 + 48.5} = 171 bits, GKM 3 {8 + 16 + 22 + 31 + 37 + 50} = 164 bits, and proposed KMS method {7 + 15 + 20 + 27 + 36 + 42} = 147 bits. It is obvious from Fig. 12 that the proposed KMS method requires less storage overhead as compared to GKM 1, GKM 2, and GKM 3. Storage overhead can be calculated by equation number 3:

$$\mathop \sum \limits_{i = 50}^{n = 300} {\text{GKM}}$$

(3)

Fig. 12

Plot for storage overhead comparison for existing and proposed method

Table 9 Comparison table for the storage overhead in terms of users

where n is the number of cloud users.

4.5 Security with respect to cloud users

The third round of testing was conducted to establish the level of security provided by the aforementioned methods of authentication, and the results are depicted in Fig. 13. The overall security grade of the proposed framework is 87.86 percent based on 200 cloud users' feedback. To calculate log file size, the following formula (see Eq. 4) has been used: Security data sent and received have a different size in terms of log file size and thus are aware of this while calculating log file size. Using Table 10, we have compared the proposed methods' security values to those of the existing methods in terms of users. Using Eq. 4, we can calculate the log file size of cloud users.

$$\mathop \sum \limits_{i = 50}^{n = 300} (\log {\text{file size}})$$

(4)

Fig. 13

Plot for security comparison for existing and proposed method

Table 10 Comparison table for the security levels in terms of users

The amount of data transferred from data owners to cloud users is expected to increase. You will not have any leaks if you are concerned about security during transmission. This research found that the difference in log file size between the data transmitted by the data owner and the data transmitted by the cloud user is a good indicator of data security. These log files are generated by the log harmonizer. If the size of the log file is changed, the level of security in that transmission will be reduced. When the size of the log file is altered, it is required to validate the integrity of the data included within the log file. Based on the findings, it can be stated that the KMS framework is exceptionally safe while also being incredibly space-efficient when compared to alternate approaches to the problem.

4.6 Log time comparison

The first set of tests looks at how long it takes to produce a log file while entities are continuously accessing the data and documenting everything they see. Log file creation time grows linearly with log file size, as illustrated in Fig. 14. Specifically, it takes roughly 1.9 s to create a 100 KB file and about 6.21 s to create a 1000 KB file. The experiment maintains the basis for determining the length of time specified between dumps in an uncomplicated manner, even when variables like space restrictions or network traffic are taken into account. Using Table 11, we compare the suggested methods' log time comparison values to those of the existing methods in terms of users.

Fig. 14

Plot for log time comparison for existing and proposed method

Table 11 Comparison table for the log time comparison in terms of users

5 Conclusion

We have proposed an HCA-KMS based on authenticated encryption with AES and Elliptic Curve Cryptography in this work (ECC). To ensure the safety of CC data storage, the proposed Centralized Cloud Information Accountability (CCIA), i.e., an HCA system with a KMS, is explained in this article. To maintain the highest level of security, the private key is securely exchanged. By selecting one random prime number for each parameter value and master secret key, secure key generation has been completed. Secure data transmission makes precise and reliable authentication feasible. Attribute-based encryption provides safe and dependable access control restrictions. Research methods may be fully implemented in CloudSim to produce better results than with the proposed methods. Using this key management system, the data owner cannot only inspect their material but also establish strong back-end security if necessary. The data owner provides the Cloud server with the data, the list of users, and the parameters needed to generate JAR files. Key management, encryption, and decryption are all handled by the Cloud Server, which is a trusted third party. Using the private key generated by the KMS, the Cloud server encrypts the data. Cloud computing attacks can be avoided with the suggested KMS architecture because of its ability to ensure lightweight and powerful accountability. We have been working on this project intending to enhance public cloud storage solutions' privacy and security. We believe we have made some progress toward ensuring the privacy and security of public cloud users, data owners, and service providers. This research project could be expanded by comparing multicast communication with other types of cryptographic algorithms and determining the best cryptosystem for secure healthcare communication. There is expansion of single-bit encryption to multi-bit encryption for the first construction and lowering of the number of trapdoors in the multi-owner’s scenario for the second construction. Furthermore, we will work to make the above schemes leakage-resistant in the future. A multiprocessing system for better performance and low latency may be used during the implementation process.