Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

In these days, cloud computation is a very hot research topic for its promising properties of cheap management cost for users, any where/any time access, and very scalable software and hard ware investigation [21]. However, before adapting cloud computation, data owners should ensure their data shall be secure and well protected [22,23,24]. Integrity is one of the most important security property for cloud storage. However when the data owners outsource their datum to the cloud, the datum is not controlled by the owners any more, how to ensure the datum has not been modified and changed? Cloud storage auditing protocol is such a mechanism. In 2007, the first provable data possession (PDP) scheme was proposed by Atenesis et al. [1, 2]. Also the proof of retrievability protocol for cloud storage was proposed by Jules et al. [3] and Shacham and Waters [4]. Later many cloud auditing protocols with different properties have been proposed, such as cloud auditing protocols with dynamic updates [5,6,7,8,9], cloud auditing protocols with publicly verifiability [4, 11], cloud auditing protocols with privacy-preserving [11,12,13], cloud auditing protocols with other interesting properties [14,15,16,17,18].

Recently, Zhang et al. [25] proposed an efficient ID-based public auditing protocol called IPAD for the outsourced data by combing Waters signature and public auditing for the outsourced data. They claimed IPAD is the first ID-based auditing protocol for data integrity in the standard security model. But in this paper we show their proposal is not secure. Especially, the adversaries can easily generate tags for any file, which obviously break the unforgeability property of the cloud storage auditing protocol.

2 Review of Zhang et al.’s IPAD Scheme

Here we first review Zhang et al.’s ID-based public auditing protocol in the standard model [25]. It consists the following six algorithms: Setup, Key-extract, TagGen, Challenge, Proof, Verifying, the details are given as follows:

  1. 1.

    Setup. For public key generator (PKG), it sets up the following system parameters. Given a security parameter k, it selects two multiplicative cyclic groups \((\mathbb {G}_1, \mathbb {G}_2)\) of prime order \(q \ge 2^k\), let \(e:\mathbb {G}_1 \times \mathbb {G}_1 \rightarrow \mathbb {G}_2\) be a bilinear map and \(g\in _R \mathbb {G}_1\) be a generator of group \(\mathbb {G}_1\). \(h, g_2\) are two random generators of group \(\mathbb {G}_1\). Let \(H_1: \{0,1\}^*\rightarrow Z_q\) and \(H_v: \{0,1\}^*\rightarrow \{0,1\}^{n_v}\) be two collision-resistant hash functions, where \(n_v\in Z\). And randomly choose \(\alpha \in Z_q\) as master key of PKG and compute the corresponding public key \(P_{pub}=g^{\alpha }\). Also randomly choose the following elements:

    1. a.

      \(v'\in _R \mathbb {G}_1\)

    2. b.

      \(v_i \in _R \mathbb {G}_1\) for \(i=1, \cdots , n_v\). Let \(V=\{v_i\}_{i\ in 1, \cdots , n_v}\)

    Finally publish the following system parameters:

    $$Param=(\mathbb {G}_1, \mathbb {G}_2, q, e, v', V, g, h, H_1, H_v, g_2, P_{pub})$$

    At the same time, PKG secretly keeps his master secret key s.

  2. 2.

    Key Extraction. For a data user with identity \(ID_j\), if it wants to register his identity \(ID_j\) to PKG, the following steps are executed:

    1. a.

      First it submits his identity ID to the PKG.

    2. b.

      PKG computes \(\mathfrak {B}_j=H_v(ID_j)\). Let \(\mathfrak {B}_j[i]\) be the i-th bit of \(\mathfrak {B}_j\). Then define \(V_j\subset \{1, \cdots , n_v\}\) be the set of indicies such that \(\mathfrak {B}_j=1\)

    3. c.

      To produce the private key \(d_j\) of the data user with identity \(ID_j\), PKG randomly choose \(a_{u_j} \in _R Z_q\) to compute

      $$d_j=(d_{j1}, d_{j2})=(g_2^{\alpha }(v'\prod _{i\in V_j}v_i)^{a_{u_j}}, g^{a_{u_j}})$$
  3. 3.

    TagGen. Given a data file M, the data user with identity \(ID_j\) splits M into n blocks such that each block has s sectors. Namely, \(M=m_1||\cdots ||m_n\) and \(m_i=m_{i1}||\cdots ||m_{is}\). Then it chooses a random file name Name from a sufficiently large domain \(Z_q^*\) and \(s+1\) random values \(r_0, r_1, \cdots , r_s \in _R Z_q\) to compute \(u_i=g_2^r\) for each \(0\le i\le s\).

    To produce file tag, it also does the following steps:

    1. a.

      Compute \((pk_s, sk_s)\leftarrow \varSigma .KeyGen(1^k)\) to obtain a pair of public/private keys, where \(\varSigma \) is a secure signature algorithm.

    2. b.

      Compute \(\varPhi =\varSigma .sign(sk_s, \tau _0)\) to obtain a signature on string \(\tau _0\), where \(\tau _0=``Name||n||u_0||u_1||\cdots ||u_s{\text {''}}\)

    3. c.

      For each data block \(m_i\), \(1\le i\le n\), it computes

      $$\omega _i=r_0H_1(Name||i)+\sum _{j=1}^{s} r_j m_{ij}$$
    4. d.

      The authentication tag on data block m is computed as

      $$\begin{aligned}t_i=&(t_{i,1}=(d_{j1})^{\omega _i}=g_2^{\varepsilon _1}(v'\prod _{i\in V_j}v_i)^{\varepsilon _2},\\&t_{i,2}=d_{j2}^{\omega _i}=g^{\varepsilon _2})\end{aligned}$$

      where \(\varepsilon =\alpha \cdot \omega _i\), \(\varepsilon =a_{u_j}\cdot \omega _i\) (Note that to produce a probabilistic signature, the data user with identity \(ID_j\) also can select \(\hat{r}\in Z_q\) to compute

      $$\begin{aligned}t_i=&(t_{i1}=(d_{j1})^{\delta _i}(v'\prod _{i\in V_j}v_i)^{\hat{r}},\\&t_{i2}=d_{j2}^{\delta _i}\cdot g^{\hat{r}})\end{aligned}$$

      Finally, the data user sends the data file M together with all the authentication tag \(t_i\), \(1\le i \le n\) to the cloud storage server, And delete the above random values \(r_0, r_1, \cdots , r_s\), private key \(sk_s\) of signature algorithm \(\sum \) and the local file M.

  4. 4.

    Challenge Phase. To check data integrity of the outsourced data, the auditor first verifies whether the signature \(\phi \) is valid by invoking \(\sigma .Verify(\phi , pk_s)\). If it is not, outputs 0 and terminates it. otherwise, the auditor parses \(\tau \) to recover the file, name Name and n as well as \(u_0, u_1, \cdots , u_s\). Then it randomly chooses a l-element subset I of the set [1, n] and a number \(\rho \in Z_q\) to produce the following challenging message

    $$Chall=\{\rho , I\}$$

    and sends them the cloud storage server.

  5. 5.

    Prove. Upon receiving the challenging message \(Chall=(I, \rho )\), the cloud storage server first produces a l-element set \(Q=(i, \beta _i)\) where \(i\in I, \beta _i=\rho ^i \bmod q\), Then based on the outsourced data file \(M=\{m_1, \cdots , m_n\}\) and authentication tags \(t_i\), \(1\le i\le n\), it computes

    $$\delta _1=\prod _{i \in I} t_{i1}^{\beta _i}$$
    $$\delta _2=\prod _{i \in I} t_{i2}^{\beta _i}$$

    and for \(j=1\) to s, it computes

    $$\mu _j=\sum _{i \in I}\beta _i m_{ij}$$

    Finally, the cloud storage server responds the auditor with the corresponding proof information \(Prf=(\delta _1, \delta _2, \{\mu _j\}_{j=1,\cdots , s} )\)

  6. 6.

    Verifying. According to the responded proof information \(Prf=(\delta _1, \delta _2, \{\mu _j\}_{j=1,\cdots , s})\), the auditor first computes

    $$\hat{h}=\sum _{i\in I} \beta _i H_1(Name||i)$$

    Then it verifies the integrity of data file by the following equation

    $$e(u_0^{\hat{h}}\cdot \prod _{i=1}^s u_i^{\mu _j}, P_{pub})e(v'\cdot \prod _{i\in V_j} v_i, \delta _2)=e(\delta _1, g)$$

    If the above Equation holds, the auditor outputs VerifyRst as accept; otherwise, output VerifyRSt as reject.

3 Our Attack

Our attack shows that the adversary can forge tags for any new files.

  • For the deterministic tag generation algorithm, the attack runs as the following:

    1. 1.

      First the adversary can query on the data owner \(ID_t\) for the tag generation on different data blocks \((m_1, m_2, \cdots , m_n)\), he can get the following tags for \((m_1, m_2, \cdots , m_n)\):

      $$\begin{aligned} t_{11}=(d_{t1})^{r_0H_1(Name||1)+\sum _{j=1}^{s} r_j m_{1j}},\\ t_{12}=(d_{t2})^{r_0H_1(Name||1)+\sum _{j=1}^{s} r_j m_{1j}},\\ \cdots \cdots \cdots \\ t_{n1}=(d_{t1})^{r_0H_1(Name||n)+\sum _{j=1}^{s} r_j m_{nj}},\\ t_{n2}=(d_{t2})^{r_0H_1(Name||n)+\sum _{j=1}^{s} r_j m_{nj}}, \end{aligned}$$
    2. 2.

      Let \(A_j=(d_{t1})^{r_j} (0\le j \le n)\), the adversary can get the following equations:

      $$\begin{aligned} t_{11}=(d_{t1})^{r_0H_1(Name||1)+\sum _{j=1}^{s} r_j m_{1j}}=(A_0)^{H_1(Name||1)}(A_1)^{m_{11}}\cdots (A_s)^{m_{1s}}\quad \quad (1) \\ \cdots \cdots \cdots \quad \quad \quad \quad \\ t_{n1}=(d_{t1})^{r_0H_1(Name||n)+\sum _{j=1}^{s} r_j m_{nj}}=(A_0)^{H_1(Name||n)}(A_1)^{m_{n1}}\cdots (A_s)^{m_{ns}} \quad \text {(n)} \end{aligned}$$
    3. 3.

      Note in the above equations, \(H_1(Name||1), \cdots , H_1(Name||n), {m_{11}}, \cdots , {m_{1s}}, {m_{n1}}, \cdots , {m_{ns}}\) are all known to anyone including the adversary, thus he can compute

      $$A_0, A_1, \cdots , A_s$$

      by implementing linear transformation on the exponentials with high probability (in case the computation fails, the adversary can query on new files with different data blocks and compute again until succeeding).

    4. 4.

      Once the adversary get \(A_0, A_1, \cdots , A_s\), he can compute tags for any file with name \(Name*\) and \({m_{11}^*}, \cdots , {m_{1s}^*}, {m_{n1}^*}, \cdots , {m_{ns}^*}\) as following:

      $$\begin{aligned} t_{11}=(d_{t1})^{r_0H_1(Name^*||1)+\sum _{j=1}^{s} r_j m_{1j}^*}= (A_0)^{H_1(Name^*||1)}(A_1)^{m_{11}^*}\cdots (A_s)^{m_{1s}^*} \\ t_{12}=(d_{t2})^{r_0H_1(Name^*||1)+\sum _{j=1}^{s} r_j m_{1j}^*}=(A_0)^{H_1(Name^*||1)}(A_1)^{m_{11}^*}\cdots (A_s)^{m_{1s}^*}\\ \cdots \cdots \cdots \\ t_{n1}=(d_{t1})^{r_0H_1(Name^*||n)+\sum _{j=1}^{s} r_j m_{nj}^*}=(A_0)^{H_1(Name^*||1)}(A_1)^{m_{n1}^*}\cdots (A_s)^{m_{ns}^*} \\ t_{n2}=(d_{t2})^{r_0H_1(Name^*||n)+\sum _{j=1}^{s} r_j m_{nj}^*}=(A_0)^{H_1(Name^*||1)}(A_1)^{m_{n1}^*}\cdots (A_s)^{m_{ns}^*} \end{aligned}$$
    5. 5.

      Thus the adversary could generate tags for any file, which obviously break the un-forgeability property of the cloud storage auditing protocol.

  • For the randomized tag generation algorithm, the attack runs as the following:

    1. 1.

      First the adversary can query on the data owner \(ID_t\) for the tag generation on different data blocks \((m_1, m_2, \cdots , m_n)\), he can get the following tags for \((m_1, m_2, \cdots , m_n)\):

      $$\begin{aligned} t_{11}=(d_{t1})^{r_0H_1(Name||1)+\sum _{j=1}^{s} r_j m_{1j}},\\ t_{12}=(d_{t2})^{r_0H_1(Name||1)+\sum _{j=1}^{s} r_j m_{1j}},\\ \cdots \cdots \cdots \\ t_{n1}=(d_{t1})^{r_0H_1(Name||n)+\sum _{j=1}^{s} r_j m_{nj}},\\ t_{n2}=(d_{t2})^{r_0H_1(Name||n)+\sum _{j=1}^{s} r_j m_{nj}}, \end{aligned}$$
    2. 2.

      Let \(A_j=(d_{t1})^{r_j} (0\le j \le n)\), the adversary can get the following equations:

      $$\begin{aligned} t_{11}=(d_{t1})^{r_0H_1(Name||1)+\sum _{j=1}^{s} r_j m_{1j}}=(A_0)^{H_1(Name||1)}(A_1)^{m_{11}}\cdots (A_s)^{m_{1s}} \quad \quad (1)\\ \cdots \cdots \cdots \quad \quad \quad \quad \\ t_{n1}=(d_{t1})^{r_0H_1(Name||n)+\sum _{j=1}^{s} r_j m_{nj}}=(A_0)^{H_1(Name||n)}(A_1)^{m_{n1}}\cdots (A_s)^{m_{ns}} \quad \text {(n)} \end{aligned}$$
    3. 3.

      Note in the above equations, \(H_1(Name||1), \cdots , H_1(Name||n), {m_{11}}, \cdots , {m_{1s}}, {m_{n1}}, \cdots , {m_{ns}}\) are all known to anyone including the adversary, thus he can compute

      $$A_0, A_1, \cdots , A_s$$

      by implementing linear transformation on the exponentials with high probability (in case the computation fails, the adversary can query on new files with different data blocks and compute again until succeeding).

    4. 4.

      Once the adversary get \(A_0, A_1, \cdots , A_s\), he can compute tags for any file with name \(Name*\) and \({m_{11}^*}, \cdots , {m_{1s}^*}, {m_{n1}^*}, \cdots , {m_{ns}^*}\) as following:

      $$\begin{aligned} t_{11}=(d_{t1})^{r_0H_1(Name^*||1)+\sum _{j=1}^{s} r_j m_{1j}^*}= (A_0)^{H_1(Name^*||1)}(A_1)^{m_{11}^*}\cdots (A_s)^{m_{1s}^*} \\ t_{12}=(d_{t2})^{r_0H_1(Name^*||1)+\sum _{j=1}^{s} r_j m_{1j}^*}=(A_0)^{H_1(Name^*||1)}(A_1)^{m_{11}^*}\cdots (A_s)^{m_{1s}^*}\\ \cdots \cdots \cdots \\ t_{n1}=(d_{t1})^{r_0H_1(Name^*||n)+\sum _{j=1}^{s} r_j m_{nj}^*}=(A_0)^{H_1(Name^*||1)}(A_1)^{m_{n1}^*}\cdots (A_s)^{m_{ns}^*} \\ t_{n2}=(d_{t2})^{r_0H_1(Name^*||n)+\sum _{j=1}^{s} r_j m_{nj}^*}=(A_0)^{H_1(Name^*||1)}(A_1)^{m_{n1}^*}\cdots (A_s)^{m_{ns}^*} \end{aligned}$$
    5. 5.

      Thus the adversary could generate tags for any file, which obviously break the un-forgeability property of the cloud storage auditing protocol.

4 Conclusion

In this paper, we show a recent proposed cloud auditing protocol is not secure, the reason why their scheme is not secure is that, the tag generation algorithm is not secure, by querying many times of tag generation oracle, the adversary can easily forge new tags for any block. We point out this attack is a very basic result, we leave how to strengthen their scheme to be secure as our future work.