Achieving Security Via Secure Network Authentication In Cloud

Computing
Case Study: Cloud computing is a way of providing different computing services along with

servers, remote storage and databases, networking software , intelligence and analytics software.

It is widely used by business organizations and individuals due to its dynamic scalability. It has

different models and services that users can consume by paying according to the amount and

volume of services used. Cloud computing provides services through internet in the form of

virtualized resources. Although it has a lot of benefits for users, there are security risks involved

with resource sharing and access. In this paper, we investigated security and authentication in

Cloud Computing and several proposed mechanisms for Network Authentication. We proposed a

new solution based on Elliptic Curves Digital Signature Algorithm to improve and enhance user

authentication in Cloud Computing. On the other hand, network security includes variety of

technologies along with devices, processes and procedures with a specific set of rules, policies

and configurations in order to protect the integrity, confidentiality and availability of networks

and information. Network security uses both hardware and software technologies. The research

questions arises here are: 1. Are the existing network authentication schemes provide strong and

unbreakable authentication in case of cloud computing? What are the specific processes that

should be implemented while developing a secure network authentication scheme? What are the

other factors that makes network authentication very crucial in cloud computing?

1
1. INTRODUCTION
1.1 Cloud Computing
Cloud computing is universal stint for distributing hosted services over the network. It
enables organizations and also individuals to consume variety of computing resources which
includes Virtual machines, storage and utilities such as applications. Over the time, its usage
increased due to its crowning benefits. The central benefits of cloud computing includes self-
service provisioning, elasticity, pay-per-use, workload resilience, and migration flexibility. It is
an advanced technology that enables its users to access configurable resources like servers,
databases, networks and applications along with the concept of virtualization. Cloud computing
allows its users to use the services provided without worrying about the technology and
infrastructure by which those services are provided. The complexity in today's business
organizations is that the need of hardware's and software's increases very fast. So every time,
whenever there is a need of any new hardware of software within any organization, it requires
personnel's to first buy that resource and then further it needs experts to install them properly.
With the use of cloud computing, the client does not have to manage all these resources and thus
burden is reduced on client side. In general, cloud is like a "resource pool", that provides
economical and on-request services to its users. In cloud, the services and resources are
provided to consumers by three different service models "Infrastructure as a service (IaaS),
Platform as a service(PaaS), and Software as a service (SaaS)" . Besides these service models,
cloud computing has three deployment models that represents specific cloud environment
essentially elevated by ownership, size and access. These deployment models are "Private
Cloud, Public Cloud, and Hybrid Cloud". With the growing popularity and advancement of
cloud computing in market, the alerts of its security are also raised.

1.2 Network Related Cloud Computing Vulnerabilities and Attacks

Cloud computing having variety of advantages is useful in different utilization domains
such as education, banking, health and financial organizations. But due to distributed architecture
of cloud computing, it contends various security pertinent issues. Most well known cloud
computing security related attacks and vulnerabilities are "unauthorized access to management
interface, internet protocol vulnerabilities, data recovery vulnerability, ip spoofing, and malware

2
injection attack" [1]. Whereas the core security issues of Cloud Computing are "authentication,
data Integrity, data confidentiality and access control" [4].

One of the core security issue related to Cloud Computing is Authentication. It hinders the
illegitimate access of any unauthorized user to cloud resources. So before accessing any cloud
service, authentication is required to check whether a user is a legitimate or not. It divulges a
pivotal role in the security of many computing applications, for yielding and disavowing
application access to users, programs and API'S. Being distributed in architecture, Cloud
Computing is confronting complications in administering user’s identity, and its authentication
and authorization. The most frequent authentication attacks are brute force, insufficient
authentication and weak password recovery validation. Most of the authentication protocols are
designed by using cryptographic schemes. In 2016 Zarad et al[1] introduced an authentication
scheme for securely accessing cloud services. They introduced key agreement protocol for
authentication based upon elliptic curve cryptography and diffie-hellman key exchange. Their
scheme authenticates the user in multiple steps. They used elliptic curve with diffie-hellman key
exchange due to short key size in elliptic curve. After analyzing their scheme, we have identified
problems in their scheme. As, diffie-hellman is a non-authenticated protocol and provides us no
encryption and it is for only a key exchange over non-secure channel which means that we have
to use any symmetric scheme too for encryption and decryption of messages. This will increase
cost and computational time. The diffie-hellman protocol has three basic versions Anonymous
diffie-dellman, Fixed diffie-hellman and Ephemeral diffie-hellman. Although they did not
specify which version they are using, the anonymous version is vulnerable to Man in the Middle
Attacks due to unsigned values. Here, the attacker eavesdrop between communicating parties and
changes the values with its own values. In Ephemeral diffie-hellman, the domain parameters are
changed with every session and values are also signed in order to prevent Man in the Middle
Attacks. But the issue is, signature also changes every time with signed message so how can the
second communication party verify the signature authenticity? This problem can be solved in
Fixed diffie-hellman and Ephemeral diffie-hellman by adding Certification Authority or
Certificates for verifying the authenticity of signatures. The communicating parties use random
number generators, if in case outputs are not completely random and predictable to certain
extent, then eavesdropper's task will become much easier.

3
The above discussion indicates the need of secure and efficient authentication mechanism for
Cloud Computing overcoming all of the above limitations. To fulfill this requirement, we
propose a newer and more secure user authentication mechanism for Cloud Computing. This
study aims at analyzing the basic requirements for network and user authentication in Cloud
Computing while answering the research questions raised in the case study and propose a
solution based on "Elliptic Curve Digital Signature Algorithm(ECDSA)".

The rest of the paper is organized as following: Section 2 gives the details of some proposed
authentication schemes for Cloud Computing. Section 3 provides the brief details of Elliptic
Curve Digital Signature Algorithm. Section 4 presents our scheme for Secure and Enhanced
Authentication. Section 5 gives security analysis for using Elliptic Curve Digital Signature
Algorithm. Section 6 gives conclusion of this study.

2. REVIEW OF RELATED WORKS

In this section, the proposed solutions for Cloud Computing Network Authentication are
discussed. Many authentication mechanisms were introduced for secure access of cloud services.
Most of the schemes are based on different cryptographic and authentication protocols. "In 2014
Faraz Fatema et al[2]" proposed an authentication mechanism for cloud computing. The
mechanism was build upon the concepts of two different agents i.e client based user
authentication (CUA) and modified Diffie Hellman agent(MDHA). It was basically a kind of
extension that is installed in end user web browser to ratify the user before accessing any cloud
services. "In 2013 Iman Ghavam et. al[3]" introduce an authentication scheme for cloud user
authentication. This scheme is based on two steps: 1- Encryption by algorithm based on client to
encrypt data prior to uploading on cloud servers.2- A secure key exchange for user
authentication for verifying user identity and giving access to cloud services. "In 2017 Shreya
Gawade, Anand Bharti, Ashish Raj, and Shweta Madane et al[7]" proposed biometric
authentication using software as a service for cloud computing. This scheme was based on
biometric mechanism and has two phases. First phase is Enrollment process where user provides
his/her biometric information e.g finger prints which are converted by biometric sensor and
stored on cloud server. Second phase is Verification process where user's data is verified for

4
successful log in. "In 2018 Jihad Qaddou et al[8]" proposed multifactor biometric authentication
mechanism for cloud computing. This mechanism is based on two layers with additional five
phases. First two phases are registration phase and login phase where user registers his/her self
and then logged into the system. In third phase, a true random number is generated and used to
identify the user after providing his/her biometric identity in fourth phase. In last phase, the
biometric identity of user is matched with stored record on the server to give full access to user.

3. ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM

FOR SECURE NETWORK AUTHENTICATION
"Elliptic Curve Digital Signature Algorithm or ECDSA" is a variant of digital signatures
in cryptography as it uses elliptic curves. The working of ECDSA includes the generation of
public and private keys with generation and verification of signatures. ECDSA first generates
private and public keys from underlying group and the selected curve. The public key is an
equation for curve with a point that lies on the curve whereas the private key is a number
generated randomly. The generated private key can then be used to create digital signatures for
any messages using digital signature algorithm. It is typically done by obtaining the
cryptographic hash of message and then performing mathematical operations of digital signature
algorithm on it using the private key. For verification of signatures, the corresponding public key
can be used along with digital signature verification algorithm. In public key cryptography, the
security of a key depends upon its size. The size of keys varies in ECDSA. In general, the public
key size needed for ECDSA is about twice the size of security in bits which is for security level
at 80 bits, the public key for ECDSA will be of 160 bits. But for simple Digital Signatures, the
public key is at least 1024 bits long so the difference is clear. ECDSA as compared to Diffi-
Hellman and RSA cryptography schemes is much harder to break as it requires to solve Elliptic
Curve Discrete Log Problem(ECDLP). The security of elliptic curves is based on difficulty of
"Elliptic curve discrete logarithm problem(ECDLP)" so, harder ECDLP means more security.
[1] The "domain parameters of Elliptic Curves" includes equation for curve y^2=x^3+ax+b with
base point (X,Y). [1] Elliptic curves can be generated by using different methods as discussed in
[1]. By using ECDSA, we can get the same security level with much smaller key sizes as

5
compared to "RSA and Diffie-Hellman" with much larger key sizes. Table 3.1 shows the key
comparison of three public key cryptography schemes in terms of security provided:

RSA DIFFIE-HELLMAN KEY ELLIPTIC CURVE DSA

EXCHANGE

Key size 1024 1024 160

Key size 2048 2048 224

Key size 3072 3072 256

Key size 7680 7680 384

Key size 15360 15360 512

Table 3.1

In most of the cases, symmetric cryptography fails and the reason is both communicating parties
do not trust each other as they both can be malicious. This issue can be resolved by using public
key cryptography with digital signatures. Digital signatures are mainly used for verifying the
authenticity of messages. Digital signatures provides us different security services. The core
security services are "Confidentiality, Integrity, Message Authentication and Non-Repudiation"
while other security services includes "Identification, Access Control, Availability, Auditing,
Physical Security and Anonymity". Elliptic curves along with ECDSA are typically used in
security of systems and messaging. Although ECDSA provides much more security with smaller
key sizes as compared to RSA and Diffie-Hellman protocols, it is also much more efficient in
computations. It also reduces the storage requirement for storing keys and algorithm parameters.
[1]

4. THE PROPOSED SCHEME

In this section, we present our proposed scheme for authentication in Cloud Computing.
The objective of our scheme is to authenticate the user securely with minimum resource
utilization and fast computation along with protection against security attacks as "Man in the
Middle Attacks, Replay Attacks and Timing Attacks" . We use Elliptic Curve Digital Signature
Algorithm(ECDSA) with 128-bit key size for Authentication. Elliptic Curve uses a standard

6
equation for generating keys instead of large primes. The selection of equation gives us an
advantage in terms of computation. We select curve25519 for generating keys. It is one of the
fastest elliptic curve and provides security of 128bits. The computations over this curve are
extremely fast and also it is not covered by any attacks yet. The main phases of ECDSA are
following:

4.1 Key Generation

In key generation phase, domain parameters are selected. The domain parameters are
curve E, modulo p, a large prime, randomly chosen coefficients a and b with a point A(X,Y)
that generates cyclic group of order q. Then we chose random integer d as 0 < d < q. Then we
compute point B by performing group operations as B=dA (A+A+A+A+A...+A d-times). The
group operations are point addition and point doubling. The integer d is private key and the
parameters p, a, b, q, A, B forms a public key.

4.2 Signature Generation

In signature generation phase, a random integer is chosen as 0 < Ke < q . This Ke is
called ephemeral key. Then we compute point R (Xr , Yr) from ephemeral key and point A as
Ke * A. The coordinate Xr is taken as r and hash of message h(message) is computed by using
hash function SHA-256. Finally signature is computed as s=(h(message)=d*r)Ke ^-1 mod q.

4.3 Signature Verification

In signature verification phase, we first compute w from s and q as w= s^-1 mod q. Then
we compute x1 and x2 as x1=w*h(message) mod q and x2= w*r mod q respectively. The point
P is then obtained as P= x1*A + x2*B. Finally, the signature is verified by following condition
as p = r mod q . If p != r mod q then signature is invalid.

The steps for Authentication of our proposed model are following:

1) In first step, the domain parameters are chosen and keys are generated on the user's
side by using ECDSA. The user keeps his/her private key and sends corresponding public key to
the server. The server stores public key for signature verification at later stage.

7
 2) In second step, the user computes the hash of his/her password by using secure hash
algorithm SHA-256. SHA-256 hash function computes the hash of message taken as input and
produce 256-bit (32-byte) unique signature of message.

3) In third step, the signature is computed by using private key and hash of password at
user's side by using ECDSA.

4) The signature computed at user's side is then sent to server along with hash of
password for verification and authentication.

5) At server side, the server first get user's password from database and computes the
hash of password by using SHA-256 hash function. The server then use public key and other
parameters sent by the user to verify the signature by using signature verification process.

6) The server also compare Hash received from user by its locally computed hash to
check whether both values are equal or not. If both values are equal, the server authenticates user
successfully otherwise not.

5. SECURITY AND PERFORMANCE ANALYSIS SECURE

NETWORK AUTHENTICATION
The security and performance of proposed model is evaluated by keeping following parameters
upfront:

1) Fast and Efficient Computations- Curve 25519 provides extremely fast computations
of domain parameters and keys with key size of 128bits. It also reduces the requirement of high
storage for keys due to shorter key sizes.

2) Message Integrity- SHA256 hashing algorithm provides message integrity and

makes sure that message is not changed in transit. SHA-256 is a one way function, which means
that a value generated by it cannot be reversed and any change in hash value will indicate that it
is changed during transit.

8
 2) Message Confidentiality and Privacy- Message confidentiality and integrity is
achieved by using SHA-256 hashing algorithm by along with digital signatures algorithm.

3) Protection against Timing Attacks- The curve25519 is designed in a way that it is

immune to timing attacks . Its computational time is constant that prevents timing attacks to
happen.

4) Protection against Replay Attacks- The value of ephemeral key Ke is random and
it is generated with a new value each time with every new session that prevents replay attacks to
happen.

5) Deterministic generation of value of Ephemeral Key(Ke)- Prevents the attackers to

recover private keys due to the collisions in the value of Ke.

6. CONCLUSION
With the rapid advancement and development of Cloud Computing, challenges are also
increasing for secure, efficient and reliable Authentication. By keeping foremost parameters like
computation time, efficiency and security upfront, an improved and enhanced authentication
scheme is proposed for Network and users Authentication in Cloud Computing. The proposed
scheme is based on Elliptic Curve Digital Signature Algorithm. Elliptic curve will provide more
security with much shorter keys as compared to other protocols like RSA and Diffie-Hellman.
The shorter keys will reduce the requirement of more storage for keys and algorithm parameters.
The use of underlying curve25519 will make computations extremely fast and prevent timing
attacks due to its constant computational time. Sha-256 secure hash algorithm will provide
message integrity during transit. All these parameters makes the proposed scheme efficient,
secure and reliable protocol for Authentication in Cloud Computing.

9
7. REFERENCES
[1] "Mohamed M. Zarad, Ahmed A. Abdel-Hafez, Ahmed H. Hassanein ,Secure and Efficient
Authentication Scheme for Cloud Computing, International Journal of Computer Applications,
May 2016 [Java]."

[2] "Faraz Fatemi , Shiva Gerayeli Moghaddam A scalable and efficient user authentication
scheme for cloud computing environments, IEEE 2014 Region10 Symposlum."

[3] "Shorab Rouzbeh,Iman Ghavam, A client -based user authentication and encryption
algorithm for secure accessing to cloud servers, 2013 IEEE Student Conference on Research and
Development 16-17 December 2013, putrajaya, Malaysia."

[4] "Aniesh Krishna K, Balagopalaln A S , Authentication Model For Cloud Computing Using
Single Sign-On, Department of Computer Science and Engineering, Sri Ramakrishna
engineering College, Coimbatore"

[5] "Hyosik Ahn, Hyokyung Chang, Changbok Jang, Euiin Choi User Authentication Platform
using Provisioning in Cloud Computing Environment Dept. Of Computer Engineering, Hannam
University, Daejeon, Korea"

[6] " Nan Chen, Rui Jiang Analysis and Improvement of User Authentication Framework for
Cloud Computing School of Information Science and Engineering, Southeast University,
Nanjing, China"

[7] "Shu Yun Lim, M. L Mat Kiah, Tan Fong Ang Security Issues and Future Challenges of
Cloud Service Authentication Faculty of Business Technology and Accounting, Unitar
International University, 47301 Selangor Darul Ehsan, Malaysia; lim_sy@unitar.my"

[8] "Ricardo Carvalho Cloud Computing Authentication Security with Diversity and
RedundancyINESC-ID, Instituto Superior T´ecnico, Universidade de Lisboa"

[9] " Gawade. Shreya, Bharti. Anand, Raj. Ashish, Madane, Shweta Biometric Authentication
using Software as a Service in Cloud Computing "

[10] " Thakkar. Jaydip An Encryption and Decryption More Secure Elgamal Cryptosystem
Department of Computer Science and Engineering Narnarayan Shastri Institute of Technology,
Jetalpur"

10