Advertisement

Graphene: A Secure Cloud Communication Architecture

  • Abu FaisalEmail author
  • Mohammad Zulkernine
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11605)

Abstract

Due to ubiquitous-elastic computing mechanism, platform independence and sustainable architecture, cloud computing emerged as the most dominant technology. However, security threats become the most blazing issue in adopting such a diversified and innovative approach. To address some of the shortcomings of traditional security protocols (e.g., SSL/TLS), we propose a cloud communication architecture (Graphene) that can provide security for data-in-transit and authenticity of cloud users (CUs) and cloud service providers (CSPs). Graphene also protects the communication channel against some most common attacks such as man-in-the-middle (MITM) (including eavesdropping, sniffing, identity spoofing, data tampering), sensitive information disclosure, replay, compromised-key, repudiation and session hijacking attacks. This work also involves the designing of a novel high-performance cloud focused security protocol. This protocol efficiently utilizes the strength and speed of symmetric block encryption with Galois/Counter mode (GCM), cryptographic hash, public key cryptography and ephemeral key-exchange. It provides faster reconnection facility for supporting frequent connectivity and dealing with connection trade-offs. The security analysis of Graphene shows promising protection against the above discussed attacks. Graphene also outperforms TLSv1.3 (the latest stable version among the SSL successors) in performance and bandwidth consumption significantly and shows reasonable memory usage at the server-side.

Keywords

Cloud computing Security protocol Data-in-transit Authentication Perfect forward secrecy 

Notes

Acknowledgment

This work is partially supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) and the Canada Research Chairs (CRC) program. We would also like to convey special thanks to Mohima Hossain from the TRL Lab at Queen’s University for the fruitful discussion and her critics during this research work.

References

  1. 1.
    BLAKE2 - fast secure hashing (2017). https://blake2.net/. Accessed 02 Sept 2018
  2. 2.
    Hybrid CryptoSystem (2017). https://en.wikipedia.org/wiki/Hybrid_cryptosystem. Accessed 02 Sept 2018
  3. 3.
    Weak Diffie-Hellman and the Logjam Attack (2017). https://weakdh.org/. Accessed 02 Sept 2018
  4. 4.
    CRIME (2018). https://en.wikipedia.org/wiki/CRIME. Accessed 02 Sept 2018
  5. 5.
    Transport Layer Security: Attacks against TLS/SSL (2018). https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS/SSL. Accessed 02 Sept 2018
  6. 6.
    Abdallah, E.G., Zulkernine, M., Gu, Y.X., Liem, C.: Trust-cap: a trust model for cloud-based applications. In: 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 584–589, July 2017.  https://doi.org/10.1109/COMPSAC.2017.256
  7. 7.
    Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 5–17. ACM, New York (2015).  https://doi.org/10.1145/2810103.2813707
  8. 8.
    Amara, N., Zhiqui, H., Ali, A.: Cloud computing security threats and attacks with their mitigation techniques. In: 2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 244–251, October 2017.  https://doi.org/10.1109/CyberC.2017.37
  9. 9.
    Amazon Web Services: Amazon Web Services: Overview of Security Processes, May 2017. https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf. Accessed 02 Sept 2018
  10. 10.
    Aviram, N., et al.: Drown: breaking TLS using SSLv2. In: USENIX Security Symposium, pp. 689–706 (2016)Google Scholar
  11. 11.
    Barker, E.B., Dang, Q.H.: SP 800-57 Pt3 R1. Recommendation for key management, part 3: application-specific key management guidance, January 2015. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf. Accessed 02 Sept 2018
  12. 12.
    Barker, E.B., Roginsky, A.L.: SP 800-131A R1. Transitions: recommendation for transitioning the use of cryptographic algorithms and key lengths, November 2015. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf. Accessed 02 Sept 2018
  13. 13.
    Böck, H., Somorovsky, J., Young, C.: Return of bleichenbacher’s oracle threat (ROBOT). In: Proceedings of the 27th USENIX Conference on Security Symposium, SEC 2018, pp. 817–832. USENIX Association, Berkeley (2018). http://dl.acm.org/citation.cfm?id=3277203.3277265. Accessed 02 Sept 2018
  14. 14.
    Chandu, Y., Kumar, K.S.R., Prabhukhanolkar, N.V., Anish, A.N., Rawal, S.: Design and implementation of hybrid encryption for security of IoT data. In: 2017 International Conference On Smart Technologies For Smart Nation (SmartTechCon), pp. 1228–1231, August 2017.  https://doi.org/10.1109/SmartTechCon.2017.8358562
  15. 15.
    Cloud Security Aliance: the treacherous 12 - top threats to cloud computing + industry insights, October 2017. https://cloudsecurityalliance.org/download/artifacts/top-threats-cloud-computing-plus-industry-insights/. Accessed 02 Sept 2018
  16. 16.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2004).  https://doi.org/10.1137/S0097539702403773MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Duong, T., Rizzo, J.: Here come the XOR ninjas. White paper, Netifera (2011)Google Scholar
  18. 18.
    Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC 2014, pp. 475–488. ACM, New York (2014).  https://doi.org/10.1145/2663716.2663755
  19. 19.
    Fardan, N.J.A., Paterson, K.G.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: 2013 IEEE Symposium on Security and Privacy, pp. 526–540, May 2013.  https://doi.org/10.1109/SP.2013.42
  20. 20.
    Google: Encryption at Rest in Google Cloud Platform, August 2016. https://cloud.google.com/security/encryption-at-rest/default-encryption/resources/encryption-whitepaper.pdf. Accessed 02 Sept 2018
  21. 21.
    Google: Encryption in Transit in Google Cloud, November 2017. https://cloud.google.com/security/encryption-in-transit/resources/encryption-in-transit-whitepaper.pdf. Accessed 02 Sept 2018
  22. 22.
    Google: Google Infrastructure Security Design Overview, January 2017. https://cloud.google.com/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf. Accessed 02 Sept 2018
  23. 23.
    Kaaniche, N., Laurent, M., Barbori, M.E.: CloudaSec: a novel public-key based framework to handle data sharing security in clouds. In: 2014 11th International Conference on Security and Cryptography (SECRYPT), pp. 1–14, August 2014Google Scholar
  24. 24.
    Khanezaei, N., Hanapi, Z.M.: A framework based on RSA and AES encryption algorithms for cloud computing services. In: 2014 IEEE Conference on Systems, Process and Control (ICSPC 2014), pp. 58–62, December 2014.  https://doi.org/10.1109/SPC.2014.7086230
  25. 25.
    Kivinen, T., Kojo, M.: More modular exponential (MODP) Diffie-Hellman groups for internet key exchange (IKE) (2003). https://tools.ietf.org/html/rfc3526. Accessed 02 Sept 2018
  26. 26.
    Liang, C., Ye, N., Malekian, R., Wang, R.: The hybrid encryption algorithm of lightweight data in cloud storage. In: 2016 2nd International Symposium on Agent, Multi-Agent Systems and Robotics (ISAMSR), pp. 160–166, August 2016.  https://doi.org/10.1109/ISAMSR.2016.7810021
  27. 27.
    Microsoft: Trusted Cloud: Microsoft Azure Security, Privacy and Compliance, April 2015. http://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf. Accessed 02 Sept 2018
  28. 28.
    Möller, B., Duong, T., Kotowicz, K.: This POODLE bites: exploiting the SSL 3.0 fallback. Security Advisory, September 2014. Accessed 02 Sept 2018Google Scholar
  29. 29.
    Neuman, D.C., Hartman, S., Raeburn, K., Yu, T.: The kerberos network authentication service (V5). RFC 4120, July 2005.  https://doi.org/10.17487/RFC4120. https://rfc-editor.org/rfc/rfc4120.txt
  30. 30.
    Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446, August 2018.  https://doi.org/10.17487/RFC8446. https://rfc-editor.org/rfc/rfc8446.txt
  31. 31.
    Rescorla, E., Dierks, T.: The transport layer security (TLS) protocol version 1.2. RFC 5246, August 2008.  https://doi.org/10.17487/RFC5246. https://rfc-editor.org/rfc/rfc5246.txt

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.School of Computing, Queen’s UniversityKingstonCanada

Personalised recommendations