Attack on Privacy-Preserving Public Auditing Schemes for Cloud Storage

With the development of Internet, cloud computing has emerged to provide service to data users. But, it is necessary for an auditor on behalf of users to check the integrity of the data stored in the cloud.The cloud server also must ensure the privacy of the data. In a usual public integrity check scheme, the linear combination of data blocks is needed for verification. But, after times of auditing on the same data blocks, based on collected linear combinations, the auditor might derive these blocks. Recently, a number of public auditing schemes with privacy-preserving are proposed. With blinded linear combinations of data blocks, the authors of these schemes believed that the auditor cannot derive any information about the data blocks and claimed that their schemes are provably secure in the random oracle model. In this paper, with detailed security analysis of these schemes, we show that these schemes are vulnerable to an attack from the malicious cloud server who modifies the data blocks and succeeds in forging proof information for data integrity check.


Introduction
With the development of Internet, cloud computing has emerged.Cloud computing is a new model of computing in contrast to conventional computing.This new paradigm allows data users to outsource their data to a cloud service provider.The term cloud refers to a thousand of virtualized servers distributed over a set of data centers with different geographical locations connected together through telecommunication links [1].The services on the cloud are delivered to the users as pay-as-you-go pricing model.
Although cloud computing offers various advantages to both users and the cloud service provider, and is envisioned as a promising service platform for the next generation Internet, security and privacy are the major challenges which inhibit the cloud computing wide acceptance in practice.Once data users transfer their data to the cloud, users lose their physical control over data.The outsourced data on the cloud are at risk from internal and external threats.The first threat is that the cloud service provider might delete less frequently accessed data.So, users need to make sure their data remain intact after uploading to the cloud, and data integrity check is becoming vital.As data users no longer physically possess the storage of their data and are confined by resource capability, traditional integrity checking technologies are not well suited for the cloud environment.Data users hope one-third party on their behalf to verify their data integrity.The issue of public auditing for data integrity check is proposed.
After Ateniese et al. 's first work [2], people proposed many public auditing schemes [3][4][5][6][7][8][9][10][11][12][13][14][15][16] for data integrity check.In a typical public auditing scheme, there are three characters, one data user, one cloud server, and one auditor.The data user transfers his data to the cloud for storage and computing.On behalf of the user the auditor, who has experience and capability, is responsible for the data integrity check.Before sending data to the cloud, the user divides a data file into many data blocks.Then, using signature technology the user generates an authentication tag for each block.These tags are sent to the cloud server with data blocks.To check the integrity of the outsourced data file, using sampling test idea, the auditor sends challenging information to the cloud server.Upon receiving the challenging information the cloud server generates a response by the data blocks and corresponding block tags and sends the response to the auditor.Then, the auditor verifies the validity of the response.If the response is valid, the auditor and the user believe the outsourced data file remain intact.
In the security model of public auditing schemes, the user is honest.But the cloud server is a semitrusted party.As mentioned earlier, the cloud server might delete less frequently accessed data for his benefit.The auditor is honest but curious.The auditor might obtain some information of the data in auditing process.So, secure public auditing scheme should also satisfy the privacy-preserving requirement.In fact, in many existing schemes, the linear combinations of data blocks are needed for verification without data privacy guarantee against the auditor.The users, who rely on the auditor just for the storage security of their data, do not want the auditing process leaking any information of their data.But, based on collected linear combinations of the same data blocks in times of check, the auditor might derive these data blocks.
Recently, some public auditing schemes [17][18][19][20][21] concerning privacy-preserving are proposed.In [21], Li et al. proposed a privacy-preserving cloud data auditing scheme with efficient key update and claimed their scheme is proved secure in the random oracle model.The difference between Li et al. 's scheme and other existing schemes is that in Li et al. 's scheme each block is further fragmented into a certain number of sectors, and the authenticator for each block is related to its each sector.In [19], Wang et al. proposed a privacy-preserving public auditing scheme for secure cloud storage and claimed that their scheme is provably secure and highly efficient.In [17], Wang et al. proposed a privacypreserving public auditing scheme.But, in [18] Worku et al. showed that in Wang et al. 's scheme [17] the malicious cloud server can forge a signature for his any selected block.So, once the server possesses data from users, he can modify the data as he wants.Worku et al. also proposed an efficient privacypreserving public auditing scheme and claimed that the proposed scheme is proved secure in the random oracle model.However, in this paper, we will point that these schemes [18,19,21] are insecure.The malicious cloud server against these schemes can break the data integrity without being found by the auditor.
The rest of the paper is organized as follows.In Section 2, we review bilinear pairing and computational Diffie-Hellman problem relevant to the security of the discussed schemes.In Section 3, we review Li et al. 's scheme.We show an attack on Li et al. 's scheme in Section 4. In Section 5, we review Worku et al. 's scheme.We demonstrate that Worku et al. 's scheme and Wang et al. 's scheme are subjected to the same attack In Sections 6 and 7, respectively.Conclusion is given in Section 8.

Computational Diffie-Hellman (CDH)
Problem.Given a generator  of an additive cyclic group  with order  and given (, ) for unknown ,  ∈  *  , one computes .

Brief Review of Li et al.'s Scheme
In [21], Li et al. proposed a privacy-preserving cloud data auditing scheme with key update.Here we review it but omit the content related to key update.
KeyGen.On input of the common reference string crs, a cloud user generates a signing key pair (spk, ssk), spk =  ssk , and another key pair (, V) for generating authenticators of file blocks, where  ∈   and V =   .The secret key of the data user is sk = (, ssk) and the public key is pk = (spk, V).For convenience, Let   = (  , V),  = 1, . . ., .
AuthGen.Given a file , the data owner firstly applies erasure codes such as RS code to obtain a processed file   and splits   into  blocks.Each block is further fragmented into  sectors {  } 1≤≤,1≤≤ , which is an element of   .The data user selects a file name Fn from a sufficiently large domain.
Proof.This is a 5-move interactive proof protocol executed between the cloud server and the auditor (TPA) as follows.
(1) The TPA picks a random integer  and ,  ∈   , computing  =   ℎ  .For 1 ≤  ≤ , the TPA selects a random V  ∈   .The commitment  and the challenge chal = {, V  } 1≤≤ , which locates the positions of the challenged blocks in this auditing process, are sent to the cloud server.
(5) The TPA verifies the file tag ft firstly by checking if the following equation holds: Then, TPA verifies the equation

Attack on Li et al.'s Scheme
In this section, we show that Li et al. 's scheme is vulnerable to a modifying attack on data integrity check.
In proof phase, the malicious cloud server can change data blocks by modifying blocks sectors.He changes respectively, where  ∈   is randomly selected by the server.Other computations remain unchanged.Now, the forged proof information (, ,   ,  1 , . . .,   ) (10) can pass the author's verification.
Proof.In fact, But, So, (, ,   ,  1 , . . .,   ) passes the auditor's verification; it is valid proof information.The malicious cloud server succeeds in modifying attack on data integrity check.

Brief Review of Worku et al.'s Scheme
In this section, we give a brief review of Worku et al. 's scheme [18], which is composed of four algorithms.
Let  1 =  2 =  and  :  ×  →   be a bilinear map, where  and   are multiplicative cyclic groups of prime Mathematical Problems in Engineering order .Let  be a generator of .Let  : {0, 1} * →  be a hash function, which maps strings to , and let ℎ(⋅) :  →   be another hash function which maps group of elements of  uniformly to   .
KeyGen.The data user first generates a random signing key pair (ssk, spk) and then chooses  ←    and  ←   and computes V =   .The user then states sk = (, ssk) as his/her secret key and pk = (, V, , spk) as public parameters.
SigGen.For file naming, the user chooses a random element name in   for file  = {  } 1≤≤ and computes the file tag as  = name ‖ Sig ssk (name).Next, for each block   ∈   , user generates a signature   as follows: Then, finally, the user sends {,  = {  } 1≤≤ , } to the cloud server for storage and deletes the file and its corresponding set of signatures from local storage.Any time when the auditor wants to start the auditing protocol, first he retrieves the file tag  for  and checks its validity using spk and quits if failed.
If the proof on  is correct, the auditor sends a challenge chal to the server.That is, the auditor picks random elements ,  1 ,  2 in   and sends chal = (, 1 ,  2 ) to the server where  1 and  2 are pseudorandom permutation keys chosen randomly by the auditor for each auditing.

Attack on Worku et al.'s Scheme
In this section, we demonstrate that the malicious cloud server can break the integrity check by modification attack.
Suppose a file  from the data user is divided into  blocks; that is, =  1 ‖  2 ‖ ⋅ ⋅ ⋅ ‖   .Let   be   's authentication tag.Let  be a malicious cloud server.When  receives the file ,  might replace each file block   with ⋅  .Here (∈   ) is randomly selected by .Upon receiving the challenge information, in ProofGen phase,  can change into respectively.Other computations remain unchanged.Then, the forged proof information can pass the author's verification.
Theorem 2. The forged proof information (, , ) produced in the above analysis can pass the auditor's verification Proof.In fact, based on the equations produced by the malicious cloud server, the following derivation is established: So, (, , ) passes the auditor's verification, and it is valid proof information.The malicious cloud server that modifies the file blocks succeeds in deceiving the auditor.

Attack on Wang et al.'s Scheme
To save space we do not review Wang et al. 's scheme.For its detailed description, readers can refer to literature [19].Due to similarity, Wang et al. 's scheme is subjected to the above attack.
When the malicious cloud server  receives a data file  =  1 ‖  2 ‖ ⋅ ⋅ ⋅ ‖   , similarly,  might replace each file block   with  ⋅   .Here (∈   ) is selected by .Upon receiving the challenge information, in ProofGen phase malicious cloud server  can change respectively.Other computations remain unchanged.Then, the forged proof information (, , ) can pass the author's verification.=  (( So, (, , ) passes the auditor's verification, it is valid proof information.The malicious cloud server succeeds in deceiving the auditor.

Conclusion
In this paper, we analyze three existing privacy-preserving public auditing schemes for secure cloud storage.We demonstrate an attack against them.In the attack, the malicious cloud server that modifies the data blocks succeeds in forging proof information for data integrity check.As far as we know, it is an open problem to propose secure privacy-preserving public auditing schemes.