A Secure Data Transfer Approach With An Efficient Key Management Over Cloud

International Journal of Information Technology and Web Engineering
Volume 17 • Issue 1
A Secure Data Transfer Approach With an

Efficient Key Management Over Cloud
Lalit Mohan Gupta, Aligarh College of Engineering and Technology, Aligarh, India*
Hitendra Garg, GLA University, Mathura, India
Abdus Samad, Aligarh Muslim University, Aligarh, India
ABSTRACT
The growth in the number of cloud users who transfer their health data have enhanced the importance
of cloud technology’s services and capabilities. However, transferring patient health data to the cloud
leaves researchers with several concerns and obstacles in privacy, storage, access, key-formation, and
management. The paper presents an efficient methodology for storing and accessing health information
to and from the cloud. The symmetric key cryptography with the MD5 hash function is employed
to enhance the framework’s efficiency. The proposed method also provides secure data sharing and
removes the burden of an exhaustive re-encryption computation. In the paper, two different keys are
computed: one key for each legitimate user among a group and another key for the crypto-system,
which is responsible to do all computations over the data. The method provides security against
internal threats since only a single share of the key can be accessed. The efficiency of the model is
measured by measuring the execution time for key formation, encryption, and decryption processes.
KEyWORDS
Cloud Computing, Confidentiality, Privacy, Security, Symmetric Key Cryptography
1. INTRODUCTION
In the digital world, exponential growth in internet users and technologies, the cloud computing (CC)
is becoming a dominant technology among industry executives, academicians, and researchers. CC
does not only provide on-demand computing resources (A. Abbas, 2014 and S.U. Khan et al., 2014),
but also allows flexibility in data access i.e. cloud users able to access the data from anywhere from
any places in the world. The majority of businesses are initiated to transform their data over the cloud
for the sake of expanding business infrastructure with low budgets and upkeep (K. Alhamazani et al.,
2014 & A. N. Khan, M. L. M. Kiah et al., 2014). On-demand storage service of the cloud computing is
being a major challenging task for cloud service providers (CSPs). A CSP must give assurance to the
cloud users that their information is secured and no one can access their data without their permission.
L. Wei, H. Zhu et al., 2014 proposed a framework to ensure the security and confidentiality over
individual’s data. In cloud service, the user uploads all information on the cloud without retaining
the backup of the data. After uploading, a data owner loses his physical control over the data and
DOI: 10.4018/IJITWE.306917 *Corresponding Author

This article published as an Open Access article distributed under the terms of the Creative Commons Attribution License
(http://creativecommons.org/licenses/by/4.0/) which permits unrestricted use, distribution, and production in any medium,
provided the author of the original work and original publication source are properly credited.
1
these outsources data may be at high risk of leakage to malicious users. In the cloud fashion, the
same cloud storage is shared by multiple cloud users, so individual’s information may be accessed by
the illegitimate users. These illegitimate users may be either authorized or unauthorized individuals.
Therefore, CSP faces extraneous difficulties in maintaining and storing the data to the cloud. To
preserve the security of the data over the cloud, some CSPs allow data users to upload only encrypted
data but the encryption process at the data owner side, increases the excessive burden of computation.
In addition, to perform any alteration on the data, firstly it is retrieved from the cloud, decrypt it,
perform the update and then re-encrypt for uploading the data again to the cloud. This complete
practice required two times encryption and one time decryption process, which is a very time taking
process and degrades the system performance. To overcome the above stated problem, the data owner
permits CSP to perform the computation on outsourced data. In a cloud context, CSP act as a Third
Party Auditor (TPA) and is regarded as a partially authentic entity. As a result, the cloud service
provider’s (CSP) untrustworthiness poses many security problems for enterprises, organizations, and
academics. Various cryptographic techniques have been proposed by the several researchers to hide
the actual meaning of the data. De-Oxyribo Nucleic Acid (DNA) based cryptography approaches
have become popular in recent years. Numerous DNA cryptography methods are reported in the
literature (Ashish Gehani, Thomas La Beanet al., 2000; Ashish Gehani et al., 2004; Beenish Anam,
Kazi Sakib et al., 2010; Lalit Mohan Gupta et al., 2019). To enhance the protection and security
over the data, researchers give the concept of access control over the data. Identity based encryption
(IBE) (Boneh D et al. 2005) and Attribute based encryption (ABE) (Goyal et al., 2006) schemes are
two major access control encryption schemes in which those users can only decrypt the encrypted
data who satisfy their access control policy. In the scheme of D. Chen et al., 2014, the data owner
performs access control, key generation, encryption, and decryption of files in a standard framework.
The number of members in a group may change over time, i.e., members may be either added or
removed based on their agreement policy. As a result, when information is shared among group
members, a flexible cryptographic framework is required to manage this varying nature in the number
of users. The approach should be capable of efficiently handling key management (A. N. Khan, M.
M. Kiah et al. 2014). Existing, departing, and newly admitted group users may engage in nefarious
acts in order to compromise the data security and privacy of group data (A. N. Khan, M. M. Kiah
et al. 2014). Internal attacks that compromise data security can be far more damaging than external
attacks. Many researchers, in most circumstances, trust internal institutions and are mainly concerned
with protecting data from outside intruders. Nevertheless, with the presence of numerous members in
a group, a number of data safety concerns must be addressed. In this study, we highlighted some of
the major concerns raised by the participation of multiple members of a group during data sharing.
This article addressed the previously mentioned security concerns about sharing of data in a group
over the cloud. Backward access control is achieved by using a single key shared by all members of
a group to allow a newly admitted user access to all past data. In the same way, forwarding access
control allows users to access all future sent information. In such cases, the security cover may be
breached either in the system management crash or a violation in data access restrictions occur (Y.
Chen and W. Tzeng et al., 2012). The above-mentioned security concerns about shared group data in
the cloud were addressed in this article. The owner of the data file uploads the data file along with a
list of permissible members and the relevant parameters for CS to construct an authorized users list
(AUL). CS is supposed to be a fully trustworthy component in the projected system, and is responsible
to perform all the computation tasks such as to generate the key for all the users in a group, perform
encryption/decryption processes, and apply the access control policy. The crypto-system generates
a unique symmetric key for each user and the same key is associated with the individual user’s key
to encode or decode the data file. The projected system’s security is achieved by dividing each key
into two halves for every member in the existing group. The split up of a key into two halves prevents
2
a single key to forming the complete key. The system allocates only one component of the key to
the associated user, while the other half is reserved by CS in the data owner’s access list. Using
protected overlapping (P. Gutmann, 1996), the source key is continuously removed from the system.
The proposed architecture model is depicted in Figure 1, and the model’s operation is discussed in
depth in Section 4.
The following are some of the ways in which this paper contributes:
• To protect the data from the malicious user, each group member keeps only a portion of the key.
• It protects data against internal risks such as backward and forward access control.
• The proposed technique provides more security over the data and also faster in computation
operation than the traditional method because of ignorance of the ECC and BDH cryptographic
re-encryption technique over the cloud.
• The privacy and integrity over the data is achieved in the offered methodology by using a
symmetric key algorithm.
Figure 1. Proposed cloud server architecture
3
2. LITERATURE WORK
For the last one decades, various architectural and security measures have been proposed by the
researchers to enhance the security of data over the environment of cloud computing. The researchers
consider many approaches and presented in the literature which are significant for the security of
cloud computing. Data security has been improved by B. Gastermann et al., 2015’s proposal of a
framework that incorporates cryptographic techniques, such as the “Advanced Encryption Standard
(AES)” algorithm and the “Hash function,” SHA-2. “A safe cloud storage approach for small and
medium-sized organizations (SMEs) has been introduced and deployed by the researcher K.N.
Pushpalatha, 2015. When sending data to the cloud, these researchers used the strategy of combining
the encryption algorithm (AES) with the hash function (MD5) to ensure data integrity and anonymity.
Using Erasure encoding coding and RSA, AES encryption methods, the author M. Meenakumari et
al., 2014 has also presented a way for securely sending data to a cloud storage device.
For whatever length of input, Aman Shakya et al., 2019 suggested technique generates a 128-
bit hash code. The function hashes a message with a key so that an intruder who doesn’t know the
key can’t fabricate the hash code, and therefore it satisfies the security, authentication, and integrity
requirements for a communication in a network.
Methods (M. Ali et al.,2017; Liu, Dong-liang et al. 2010;Gola, Kamal Kr. Et al., 2014; Arora,
Rachna et al., 2013) are good examples of frameworks that can be used in a variety of situations. These
methods are neither practical nor operative for movable gadgets because of the high computational cost
of key manufacturing. The article (L. Xu, X. Wu. et al., 2012) provides a symmetric key encryption
scheme which is more effective on public cloud for exchanging the data secretly in a certain group.
The approach also enhanced the privacy over the data by applying the encryption on the data owner’s
public key. Thereafter, the encrypted data and key are uploaded to the cloud. This said procedure is
known as Certificate-less Proxy Re-encryption Scheme (CL-PRE). Further, another improvement is
done for the sake of security purpose that the encrypted key is again encrypted by the cloud while
using the proxy re-encryption method. Without a certificate, a secret key pair is generated based on
the one’s identification. Therefore, BDH and bilinear pairing techniques make PRE more expensive
in computation than the usual operation in finite fields.
The publication (S. Seo, M. Nabeel et al., 2013) described a strategy for lowering the bilinear
pairing computation overhead. To facilitate communication in the public cloud, the researcher escapes
using bilinear pairing in his mediated certificate less encryption scheme. By outsourcing all tasks to
CS, the model relieves the data owner of their load. Encryption, decryption, establishing key pairs for
persons, and transmitting specific public keys to allowed users are all part of these responsibilities.
The method also makes user revocation, partial decryption, and key management simple for users,
although one’s confidentiality may be compromised due to the unreliability of CS in a cloud context.
As a result, transferring the key creation process to a shared multi-tenant cloud system is not regarded
as safe. Furthermore, repeating the decryption procedure reduces the efficiency of this technology.
(Abdul Nasir Khan et al., 2014) suggested an incremental cryptography approach in which
information is split into several chunks and after encoded one at a time. The proposed solution takes
advantage of a private cloud to reduce the time required to generate the keys. This framework shares
secret data to the cloud using the El-Gamal Cryptosystem and bilinear pairing, but it is unable to
lower the computation cost of bilinear pairing.
Security architecture for group data sharing has been established in the publication (Y. Chen and
W. Tzeng, 2012). This article computes the key by using the binary tree and distributes the key among
all the users in the system. The calculation cost of the scheme is too expensive and easy to breach
due to the re-keying approach. This study presents a framework for protecting data exchange among
a group without requiring the BDH, bilinear pairing, or El-Gamal cryptosystem. By encrypting data
via symmetric key cryptography, the framework avoids the need for re-encryption. This strategy could
reduce computationally expensive operations, resulting in better overall system performance. The
4
proposed approach enhanced the system’s security by introducing an approach which permits group
members to receive only a half of the key, which is beneficial for restricting data access in both ways.
The (Rewadkar, D. N. et al., 2014) devised a method for appointing a third-party auditor
(TPA) to ensure cloud data confidentiality. This article uses a homomorphic encryption method
in which alterations are performed on encrypted data and hide the actual meaning of the data
from the cloud server.
On health records (Lalit Mohan Gupta et al., 2020) presented the TBHM security architecture,
which uses fully homomorphic characteristics and the MD5 integrity algorithm. In his model,
the researcher improved key generation, encryption, and decryption times, but the completely
homomorphic approach is more expensive than existing encryption strategies.
(J. Shen et al., 2019) used symmetric balanced in complete block design to provide a framework for
sharing data across many participant’s contexts (SBIBD). The suggested framework is appropriate for
extending the number of users dynamically over the cloud, but data security is always a big problem.
(Neenu Garg et al., 2020) introduced an integrity mechanism which decreases the computational
cost of system setup. The author’s protocol employs bilinear pairings to validate and perform
randomization operations on data, as well as the Diffie-Hellman approach to ensure system security.
A novel data integrity approach has been proposed in article (Y. Fan, X. Lin, G. Tan et al., 2019),
which is named as secure identity aggregate signatures (SIBAS). This protocol uses a (t, n) threshold
scheme to ensure privacy and easy key management in a reliable computation atmosphere.
3. MOTIVATION
There are various issues in terms of data access, key creation, encryption, and decryption times.
Researchers must consider the above characteristics when designing an effective security system.
Many solutions have been developed and documented, but none of them guarantee that security
breaches on shared data among the group would be totally eliminated. When compared to the
existing cryptographic system, the suggested article makes a big effort to limit security concerns
faced by both internal and outside users and improves key generation, encryption, and decryption
time. This approach eliminates the risk of outsider or insider attacks to a group’s shared data.
The framework’s security is improved by introducing partial key sharing. No malicious user can
decode the shared data using one’s partial key. The researchers in the past introduced multiple
cryptographic hash functions such as MD2, MD4, MD5, SHA-1, SHA-384, SHA-256, SHA-
512, and SHA-224 to improve security and data integrity of the system. In terms of security,
memory space, and processing speed, each has its own set of advantages and disadvantages.
According to A. A. Putri Ratna et al., 2013, the MD family hash function uses less memory and
processes data faster, however it is less secure than the SHA family hash function. According to
D. Rachmawati et al., 2018 literature, they reveal the SHA family is more secure but slower in
processing time than MD5 family and demonstrated that MD5 has a considerably faster execution
time than SHA256 for the same calculation complexity Θ (n). To enhance execution speed and
memory usage, the suggested technique applies the MD5 hash function. Therefore, the proposed
architecture increased the system’s efficiency and be cost- effective in terms of memory during
key creation, encryption, and decryption.
4. THE PROJECTED MODEL
This section discusses the methods and entities utilized in the proposed technique for securely sharing
the data in a cloud environment without conducting the re-encryption process. Our model is primarily
made up of three entities, each of which is discussed in detail below.
5
4.1 Entities in the System

• Crypto-System (CS): CS is a reliable unit in the proposed model which is accountable to carry
out all security operations such as access control policy, key creation, encoding and decoding,
and build up of authorized users lists (AULs). To gain access to these security services, the user
must first register himself with CS.
• Cloud: The data owner outsources the data to the cloud and uses the Cloud Service Provider’s
storage service (CSP). Before transmitting the data over the cloud, the data is encrypted for
privacy and security reasons. File Uploading and File Downloading are the two primary cloud
operations used in the suggested methodology. This section discusses the methods and entities
utilized in the proposed technique for securely sharing data in a cloud environment without
conducting the re-encryption process.
• Users in a Group: The data file is uploaded to the cloud by the group user. Each data file has
only one owner, with the rest users acting as consumers. The owner of the data file determines
the access privileges to be granted to the group users for the data file. In the form of an AUL
file, CS keeps track of the constraints associated with access control.
4.2 Procedures for the System

• Encryption keys generation procedure: Symmetric key mechanism is used by the suggested
method, which uses the same secret key to perform encryption and decryption process to each
data file. This secret key is not totally accessible to either any of the group members or CS, as
the encrypted key is split into two halves throughout the encryption/decryption process, one of
which is given to the appropriate member in the group and the other preserved by CS. To decrypt
the encrypted data, both halves of the keys are required; a single component of the key will not
be capable to decrypt the data.
• Encryption of Data File (F): The encryption of data file F uses two methods: one for
key generation and the other for encrypting the file for member k. The Key Formation
function creates a Key for each group member using the MD5 hash algorithm, while the
Encryption _Process creates a Keyk’ for each group member k, then adds it to the authorized
list and then encrypts the data file F. Further, the encryption procedure is discussed in
detail in Table 1.
• Forming the Key (Key): Each data file, the CS generates a 128-bit random secret key. A two-
stage technique is used to calculate the model’s key. The length of the 128-bit random number
R is formed in the first step with R = {0, 1}128; and then sent via the MD5 hash function in the
second stage which gives the output of 128-bits long key. The hash function’s result serves as
the data file’s key, while the second phase of the key completely randomizes the initial user-
generated random number R. The data file is encrypted using AES techniques, which is a common
symmetric key encryption approach.
• CS Key Share (Keyk) Generation: CS generates a unique 128-bit Keyk for each user in the
group Keyk = {0, 1}128. This Keyk is one component of the Key and kept by the CS in order for
it to figure out the actual Key whenever a user requests for encryption or decryption of the data
file. Furthermore, the comparison ensures that a unique Keyk is created for each file user.
• User Key Share (Keyk’) Formation: The computation of the key for every user k in the group
is performed by the CS. Thereafter, it performs the Ex-OR operation with the associated CS
key share as follows:
Keyk’ = Key ⊕ Keyk
Table 1 shows the entire encryption process incorporating the method of key creation and
encryption for Data File F.
6
Table 1. The HLPN model’s symbols and data types
Symbols Types Description

F String It comprises the data to be secured.
Key String It represent symmetric key
Keyi String It contain first part of K for ithuser
Keyi’ String It contain second part of K for ithuser
C String It is encrypted data
Ui Number It denotes number of ith user
Grp_ID Number It represent number of group ID
H String It contain hash value of the data
Algorithm 1. Procedure for encryption of data file F

Encryption ()
{
Key_Creation()
{
//Obtained a binary random number R of length 128-bits
R = {0, 1}128;
//Compute the key for encryption data File
Key = MD5_hash (R);
Return Key;
}
Encryption_Process (Data File F, AUL)
{
For (each member k in AUL)
{
Keyk = {0,1}128
Keyk’ = Key⊕Keyk
Make the entry Keyk’ for member k in the AL and also forward it to member k
}
Compute cipher file C = SKA (F, Key)
Erase (Keyk’)
Erase (Key)
Return (Cipher File C to upload to cloud)
}
}
5. PROPOSED FRAMEWORK
This section explains how the proposed framework works and how it executes various cryptographic
operations to secure shared data. The following basic operations are carried out by the model:
• File Upload: In the proposed system, the data owner requires to encrypt the file for the sake
of confidentiality purposes before uploading to the cloud. To encrypt the file, the data owner
forwards an encryption request, together with the data file F and a permissible users list (PUL)
to crypto-system (CS) with the access constraint settings. Read-Only and/or Read-Write are/is
7
the basic operations of the access control. CS uses a permissible users list to create an authorized
users list (AUL) for each group member in a certain group. PUL is needed to be shared to CS if
the data owner wants to share a file in a new group; otherwise, not required to forward the PUL
with an encryption request. If the group already exists then only sends the group ID of that group
with the encryption request. After getting the request, CS generates AUL from the permissible
users list (PUL) and generates a distinct group. For every file, an AUL is generated separately.
The AUL will keep the information about the file such as file size, file ID, the data owner ID, a
list of access user IDs, and other metadata. To encrypt a file, CS computes the key then encrypts
the file using MD5 hash function as per the method described above in Table 1. A cipher file is
the name given to the resulting file (C).
As a result, CS produces Keyk and Keyk’ for every user in the group and then removes Key by
securely overwriting technique. Further, it incorporates Keyk entry into AUL for each user for later
reference. Each encrypted file is secured by CS using a signature based MD5 hashing technique
(MD5). The CS delivered encrypted data file, Group_ID, and Keyk’ to the intended data owner and
group ID and Keyk’ to the remaining users in the group. The group user’s public key can be used to
forward the user’s first halves of the key. In the framework, the CS is fully responsible to upload the
encrypted data file (C) to the cloud then removes the obtained Key through secure overwriting. In
the proposed model, the key creation process is executed only once when the new group is formed.
Thereafter, the key creation process activates only for new users who want to join the group. Above,
Figure 2 showing the upload operation of the file to the cloud.
• File Download: The authorized group member downloads an encoded file from the cloud
and forward a decryption requests along with the first half of the user key (Keyk’) and other
authentication details to the CS. Firstly, the CS computes Key after performing the XOR operation
over the obtained key (Keyk) and the corresponding Keyk’ for user k in the AUL. As every user
in the group is associated with a distinct pair of Keyk and Keyk’, no other users can use the same
Keyk to falsify the identity. If CS gets the correct Key and the integrity of the file is not violated
then the result of the decryption process will be successful; otherwise, the decryption will be
unsuccessful. Thereafter, CS will hand over the decrypted file to the requested user through the
secure channel after successful decryption process. After the decryption, CS has removed the Key
through the secure overwriting process. It is clear in the proposed framework; the authentication
of the users is done before processing the request. Algorithm 2 exemplifies the decryption process
and Figure 3 demonstrates the downloading operation respectively.
Figure 2. File Upload Operation
8
Figure 3. File Download Operation
Algorithm 2. Decryption process for data file F

Decryption_process (C, AL)
{
Obtained first halve of the key (Keyk’) from the intended user k;
Obtained the cipher file (C) either from the intended member or downloaded from cloud;
Retrieved second halve of the key (Keyk) from authorized users list (AUL);
if (Keyk is not found)
{
Report denial message;
}
else
{
Compute Key = Keyk ⊕ Keyk’;
Data_File = SKA (C, Key);
Forward the Data_File to the intended member;
}
erase (Key);
erase (Keyk’);
}
• File Update: During the file updating, no need to perform key generation and creation of AUL
related activities. To achieve any update on the data file, the data owner makes a call to the CS
with an update request. The update calls contains Group ID, File ID and Keyk’ along with the
update file to be encrypted after the alterations. The CS will verify the requested user in the AULs
that he has the rights to update on the file. If so, then the CS computes the Key by performing the
XOR operation over the Keyk and Keyk’, and encrypts the file. After that CS upload the updated
encrypted file to the cloud and delete the Key by secure overwriting approach. Figure 4 shows
update operation over the file.
• Adding / Leaving Group Users: The system required to add/delete member’s entry to an existing
group according to authorization policy. The joining of an existing group made on the request of
the data owner. The data owner sends the request on the behalf of the newly user that containing
the group ID and user ID of the new user. This request also contains access control parameters
(Read and/or Write) and File ID for which the user has been granted to access. After receiving
the joining request, CS updates the AULs and computes the key shares and forwarded to the
9
Figure 4. File Update Operation
user. Now, newly member can access the previous encrypted file for which he has to be granted
and retain the backward access control. In the case of departing group user; the leaving user will
inform to the data owner. The data owner made a request along with the user ID to the CS for
deleting the record of the leaving user from the AULs. After deleting the records of the leaving
user in the AULs, leaving user will not be able to decrypt the present encrypted file because of
whole key is not processed by any of the group members. Hence, the proposed framework also
ensures forward access control.
6. FORMAL ANALySIS
For the reader’s benefit, we provide a brief review of High-Level Petri Nets (HLPNs), Z3 solver,
and Satisfiability Modulo Theorems Library (SMT-Lib) before going into detail about the suitable
analysis of the suggested model.
6.1 High Level Petri Nets (HLPNs)

Petri nets are one of the techniques used to depict distributed, nondeterministic, parallel, and
concurrent systems graphically and mathematically. The traditional Petri net HLPN is used in
this article. M = (P, T , F , Φ, R, L, N 0 ) , is the 7-tuple representation of an HLPN, where 
denotes a finite collection of locations and  specifies a finite set of arcs such that P ∩ T = Φ .
The flow relation F ⊆ (P ×T) ∪ (T ∪ P ) is denoted by the letter  .  is assigned to the data
types by the map. The set of rules for arcs is denoted by  .  0 represents the initial marking
(T. Murata, 1989).  is a label on  , and,  0 represents the initial marking as T. Murata et
al. The tuples (P, T , F ) represent information about the net’s structure, whereas Φ, R, L denotes
static semantics, i.e., the information does not change throughout the system. Figure 5 depicts
the proposed system’s HLPN model.
6.2 Satisfiability Modulo Theorems Library (SMT-Lib) and Z3 Solver

The SMT-Lib is used in the proposed framework to show the satisfiability of processes over theories
under the truth, whereas Z3 is a state-of-the-art theorem prover. The SMT-Lib is used by Z3 as an
automated satisfiability checker and theorem prover. Furthermore, the Z3 solver assesses if the
collection of formulas is satisfiable in the SMT-built-in Lib’s theories. The usage of the SMT-Lib in
the verification process is described by S. U. R. Malik et al., 2012. The relationship and data types
are shown in Tables 1 and 2, respectively.
10
Figure 5. HLPN model for proposed framework
Table 2. Relationship between data types and locations
Place Mapping
Φ (User) P(F × Ui × Keyi ×C × gid × H )
Φ (CS) P(F × Ui × gid × Key × Keyi × Key ' ×C × H )

i
Φ (Crowd (C × H )
Whenever a data owner wishes to upload the data file F in the group. He sends the data file along
with a list of permissible users and other parameters to CS. The following procedure is associated
with the arc SendDatafile of the HLPN:
R(SendDatafile ) = ∀y1 ∈ Y1, ∀y2 ∈ Y2 y2 [1] = y1[1] ∧ y2 [2] = y1[2] ∧ Y2 = Y2 ∪ {y2 } (1)
The symmetric key and other parameters are created by CS for uploading the data file. The
procedure performed on arc GenKey is following:
R(GenKey ) = ∀y 3 ∈ Y3 } y 3 [3] = gengrpID (y [ 3 ]) ∧ y 3 [4 ] = genk ∧ Y3 = Y3 ∪ (2)

2
After generating the symmetric key, CS computes the MD5hash value fordatafile F and encrypts
F with the resultant symmetric key, i.e., Key. The outcome of the data is called cipher data C. The
process is carried out at arc EncryptDatafile with the following criteria:
11
R(EncryptDatafile ) = ∀y 4 ∈ Y4 y 4 [8 ] = Md 5hash(y 4 [1] ∧ y 4 [7 ]

= encrypt(y 4 [1], y 4 [4 ]) ∧ Y4 = Y4 ∪ {y 4 } (3)
The CS divides the resultant Key into two-part shares, i.e., Keyi and KeyiJ , for every user in the
AL, and then deletes Key afterwards. The arc DivideKey shows the process with the following rule:
R(DivideKey ) = ∀y 5 ∈ Y5 y 5 [5] = gen _ Keyi () ∧ y5 [6]

= (y5 [4 ] ⊕ y 4 [5]) ∧ Overwrite (y 5 [4 ]) ∧ Y5 = Y5 ∪ {y 5 } (4)
The obtained cipher data file C, along with the MD5hash value, the group_ID, and KeyiJ , are
forward to the data owner. The following process shows the arc Sendrequest method:
R(Sendrequest ) = ∀y 6 ∈ Y6 , ∀y7 ∈ Y7 y7 [3] = y6 [6] ∧ y7 [4 ] =

y 6 [3] ∧ Y7 [5] = Y6 [7 ] ∧ y7 [6] = y 6 [8 ] ∧ Overwrite (y 6 [6]) ∧ Y6 =
Y6 ∪ {y 6 } ∧ Y7 = Y7 ∪ {y 7 } (5)
The user outsources the cipher data file to the cloud. The arc upload performs by the
following procedure:
R(Upload ) = ∀y 8 ∈ Y8 , ∀y 9 ∈ Y9 y 9 [1]
= y 8 [7 ] ∧ y 9 [2] = y 8 [8 ] ∧ Y9 = Y9 ∪ {y 9 } (6)
The user downloads the required cipher data file from the cloud. An arc download computed
by the following rule:
R(Download ) = ∀y10 ∈ Y10 , ∀y1 ∈ Y11 y11[5]

= y10 [1] ∧ y11[6] = y10 [2] ∧ Y11 = Y11 ∪ {y11 } (7)
The group user transmits a decryption request to CS along with encrypted data C, Ui, the
group_ID, and KeyiJ . The following process shows Decryptrequest:
R(Decryptrequest ) = ∀y12 ∈ Y12 , ∀y13 ∈ Y13 y13 [2]

= y12 [2] ∧ y13 [3] = y12 [4 ] ∧ Y13 [6] = Y12 [3] ∧ y13 [7 ] = Y12 [5] ∧ Y13 ∪ {y13 } (8)
The CS verifies the legitimacy of the called user from the AL. If the request comes from the
permissible user, it computes Key according to the above said procedure. The transition Compute
Key procedure is following:
R(ComputeKey ) = ∀y14 ∈ Y14 y14 [4 ]

= y14 [5] ⊕ y14 [6] = Y14 = Y14 ∪ {y14 } (9)
12
After authentication, CS decrypts the required data file F then decrypted data sends it back to
the requested user. CS deletes the Key and Keyij subsequently. The transition DecryptCipher depicts by
the following process:
R(DecryptCipher ) = ∀y15 ∈ Y15 , ∀y16 ∈ Y16 y16 [1]

= decrypt(y15 [7 ], y15 [4 ] ∧ Y16 = Y16 = Y16 ∪ {y16 } (10)
6.3 Proof of Properties

Some of the proved properties are following:
• A permissible user in the group can’t be participates to generate a legal Key by affecting to be
another user and by contributing a random Keyi.
• A permissible user in the group participates to generate a legal Key by contributing a legal Keyij.
• An unauthorized user outside from the group, if somehow gets access to the encrypted file, can’t
lead to its decryption.
The proposed framework was converted into the SMT-Lib and verified through the Z3 solver. The
solver proved that the framework is viable and accomplishes according to the indicated properties.
The Z3 solver took 0.076s to execute the working of the proposed framework.
7. EXPERIMENTAL ANALySIS
Users, CS, and the cloud are the three main components of our framework. The suggested framework
was tested on a system which has Windows-10 operating system, Intel i3 7th generation processor
running at 2.4 GHz on 8 GB of RAM. Visual Studio 2015 C# was used to implement the method.
In our approach, as a cloud server, Amazon S3 was employed, and the Amazon Web Services tools
were used to interact with it. As a reliable third party, CS was used. To interface with CS and obtain
services, a client application was utilized, which included the user’s functionality..Net libraries are
used to create secure links between objects and MD5 Crypto library is employed to access all of the
functionality associated with the MD5 hash function.
• Key Formation Time: The suggested technique creates a distinct key for every data file. On the
other hand, file transmitting time and forwarding keys are assessed independently for each group
member. The time takes to generate the key for the requested job is measured in the interval of
10 users, for example, 10 - 100 cloud users (CUs). The comparative study has been made on
the results of SeDaSC M. Ali (2017) scheme, which employed the SHA256 hash function and
the proposed scheme which employed MD5 hash function as shown in Figure 6. It is clear in
Figure 6, as the number of users grows, the time it takes to generate the keys grows as well, and
the suggested approach takes less time to generate the keys as compared to the SeDaSC and
from Figure 7 demonstrates that SeDaSC and proposed methods take negligible time (a straight
line) to form the keys as compared to A.N. Khan et al., L.Xu. et al., and S.Seo et al. schemes.
• Execution time to encrypt or decrypt a file: The proposed encryption/decryption techniques
were tested to see how long it took to encode and decode different file sizes. The results were
achieved using 0.1, 0.5, 1, 10, 100, and 500 MB files. In the proposed framework, CS computes
the key first, and then uses this obtained key to encode and decode the file. The result demonstrates
that the time taken to generate a key is less as compared to the time taken to encrypt and decrypt
a data file. It is done to determine the overhead time to generate a key as compared to total
encryption and decryption times. The time spent for key creation, encryption, and decryption
13
Figure 6. Key Formation execution time for SeDaSC and the proposed method
Figure 7. Key formation times of various methods
14
are measured independently, and the results are compared which are shown in Figure 8 and
Figure 9, respectively.
Figure 8 shows the results of encryption time of SeDaSC and the proposed method for varied
file sizes. The result reveals that as file sizes grow larger, the time it takes to encrypt them grows
longer. However, with a little adjustment, the key creation time on varied data file sizes nearly remains
constant. This is because the key’s computation time is independent of the file size.
The Figure 9 shows the results of overall decryption time of SeDaSC and the proposed
method for various file sizes. When comparing encryption and decryption, the results indicate
a similar pattern. For smaller files, the key creation time is longer than the decryption time.
Figure 8. Execution Time for various data files size
Figure 9. Overall decryption times for distinct data file sizes
15
As a result, decryption time for a large file key computation is insignificant. The comparative
studies reveals from the Figure 8 and Figure 9 that the proposed method is more efficient
as compare to the SeDaSC schemes as it take less time in execution for key computation,
encryption/ decryption process.
When the group is created with 10, 20, 30, 40, 50, 60, 70, 80, 90, 100 users, Table 3
demonstrates a comparative examination of critical key computation for several existing
systems. When we look at the findings closely, we can see that the Key computation times
for SeDaSC and the suggested approach are significantly lower than the other schemes. In
comparison to the SeDaSC approach (M. Ali et al., 2017), the proposed method takes less
time. We compute the total time to be taken to upload/download a file of various sizes to/from
the cloud by using different methods.
Table 4 showing the uploading and downloading time for various methods of distinct file
sizes. From Figure 10 and Figure 11 demonstrating the comparative study over the uploading and
downloading time and concluded the proposed method takes less uploading/downloading time as
compared to others. Finally, it can be inferred that the proposed method outperforms previous schemes
while requiring the least amount of sophisticated processing.
8. CONCLUSION
The presented research work offers a cloud-based security framework which provides the privacy
and confidentiality over the health records or files that are to be shared among different users in a
group without any re-encryption process. Furthermore, the proposed technique includes forward
and backward access control that allow only authorized individuals to access specific files. It also
ensures that all the parameters required to decode a file are removed from the crypto system for the
security purpose, as well as reducing the data owner’s load by moving all calculation chores to Crypto
System. In order to demonstrate the model’s security and efficiency, the framework’s performance
is assessed using a variety of parameters such as key formation, uploading and downloading time. A
comparative study is carried out which shows a significant improvement in the considered parameters
using the proposed technique.
Table 3. Comparison of key computation times for various schemes
A.N. Khan et al., S. Seo. et al., SeDaSC, Proposed

Number of users L. Xu. et al., 2012
2014 2013 2017 Method
10 1.534 1.494 1.594 0.004 0.0034
20 1.606 1.598 1.741 0.0042 0.004
30 1.684 1.673 2.321 0.0047 0.0044
40 1.799 1.791 1.888 0.005 0.0047
50 1.866 1.907 1.952 0.0051 0.0049
60 1.923 1.954 2.193 0.0055 0.005
70 2.034 1.994 2.286 0.006 0.0053
80 2.129 2.092 2.694 0.0063 0.0057
90 2.388 2.401 2.827 0.0067 0.006
100 2.545 2.495 2.887 0.007 0.0062
16
Figure 10. Uploading Time of various methods
Figure 11. Downloading Time of various methods
The suggested technique applies the MD5 hash function to improve the execution speed and
memory usage. Therefore, the proposed architecture increases the system’s efficiency and is considered
cost effective in terms of memory usage during key creation, encryption, and decryption.
17
Table 4. Computation of uploading/downloading (UL/DL) time on distinct file sizes for various methods
A.N. Khan et al., Proposed

File L. Xu. et al., 2012 S. Seo. et al., 2013 SeDaSC, 2017
2014 Method
Size
UL DL UL DL UL DL UL DL UL DL
0.1 1.332 1.035 0.81 0.729 1.26 0.891 0.72 0.72 0.63 0.63
0.5 1.701 1.179 1.062 0.864 1.332 0.927 0.864 0.864 0.765 0.72
1 2.61 1.665 1.62 1.251 1.854 1.332 1.062 0.972 0.864 0.846
10 13.131 9.405 11.745 8.919 13.455 8.91 5.832 5.769 4.212 4.05
50 54.333 32.31 48.312 30.105 52.704 32.013 9.216 8.901 7.065 6.66
100 139.635 55.431 89.721 51.426 101.169 53.226 18.612 16.821 13.932 13.122
500 784.881 360.189 332.748 193.77 442.827 206.829 35.325 30.285 25.821 23.868
FUNDING AGENCy
The publisher has waived the Open Access Processing Fee for this article.
18
REFERENCES
Abbas, A., & Khan, S. U. (2014). A review on the State-of-the-art privacy preserving approaches in e-health
clouds. IEEE Journal of Biomedical and Health Informatics, 18(1), 1431–1441. doi:10.1109/JBHI.2014.2300846
PMID:25014943
Alhamazani, K. (2014). An overview of the commercial cloud monitoring tools: Research dimensions, design
issues, state-of-the-art. Computing. Advance online publication. doi:10.1007/s00607-014-0398-5
Ali, M., Dhamotharan, R., Khan, E., Khan, S. U., Vasilakos, A. V., Li, K., & Zomaya, A. Y. (2017,
June). SeDaSC: Secure Data Sharing in Clouds. IEEE Systems Journal, 11(2), 395–404. doi:10.1109/
JSYST.2014.2379646
Anam, S. Hossain, & Dahal. (2010). Review on the Advancements of DNA Cr yptography .
arXiv:1010.0186v[cs.CR].
Arora, R., & Parashar, A. (2013). Secure user data in cloud computing using encryption algorithms. International
Journal of Engineering Research and Applications, 3(4), 1922–1926.
Boneh, D., Boyen, X., & Goh, E. J. (2005). Hierarchical identity based encryption with constant size ciphertext.
In Advances in Cryptology–EUROCRYPT (pp. 440–456). Springer. doi:10.1007/11426639_26
Chen, D., Li, X., Wang, L., Khan, S. U., Wang, J., Zeng, K., & Cai, C. (2015, March). Fast and scalable multi-way
analysis of massive neural data. IEEE Transactions on Computers, 64(3), 707–719. Advance online publication.
doi:10.1109/TC.2013.2295806
Chen, Y., & Tzeng, W. (2012). Efficient and provably-secure group key management scheme using key derivation.
Proc. IEEE 11th Int. Conf. Trust Com, 295–302. doi:10.1109/TrustCom.2012.138
Fan, Y., Lin, X., Tan, G., Zhang, Y., Dong, W., & Lei, J. (2019). One secure data integrity verification scheme
for cloud storage. Future Generation Computer Systems, 96, 376–385.
Garg, N., Bawa, S., & Kumar, N. (2020). An efficient data integrity auditing protocol for cloud computing. Future
Generation Computer Systems, 109. Advance online publication. doi:10.1016/j.future.2020.03.032
Gastermann, Stopper, Kossik, & Katalinic. (2015). Secure implementation of an on-premises cloud storage
service for small and medium-sized enterprises. .10.1016/j.proeng.2015.01.407
Gehani, A., La Bean, T., & Reif, J. (2000). DNA-Based Cryptography. DIMACS DNA Based Computers V.
American Mathematical Society.
Gehani, A., LaBean, T., & Reif, J. (2004). DNA-based cryptography. Lecture Notes in Computer Science, 2950,
167–188. doi:10.1007/978-3-540-24635-0_12
Gola, K. K., Gupta, B., & Iqbal, Z. (2014). Modified RSA digital signature scheme for data confidentiality.
International Journal of Computers and Applications, 106(13).
Goyal, V., Pandey, O., Sahai, A., & Waters, B. (2006). Attribute-based encryption for finegrained access
control of encrypted data. Proceedings of the 13th ACM conference on Computer and Communications
Security, 89–98.
Gupta, L. M., Garg, H., & Samad, A. (2019). An improved DNA Based Security Model using Reduced Cipher
Text Technique. International Journal of Computer Network and Information Security, 11(7), 13–20. doi:10.5815/
ijcnis.2019.07.03
Gupta, Samad, & Garg. (2020). TBHM: A Secure Threshold-Based Encryption Combined With Homomorphic
Properties for Communicating Health Records. International Journal of Information Technology and Web
Engineering, 15(3), 1-17.
Gutmann, P. (1996). Secure deletion of data from magnetic and solid-state memory. Proc. 6th USENIX Security
Symp. Focusing Appl. Cryptography, 8.
Khan, A. N., & Kiah, M. L. M. (2014). Incremental proxy re-encryption scheme for mobile cloud computing
environment. J Supercomput, 68, 624–651. 10.1007/s11227-013-1055-z
19
Khan, A. N., Kiah, M. L. M., Khan, S. U., & Madani, S. A. (2013). Towards secure mobile cloud computing: A
survey. Future Generation Computer Systems, 29(5), 1278–1299. doi:10.1016/j.future.2012.08.003
Khan, A. N., Kiah, M. M., Madani, S. A., Ali, M., & Shamshir-band, S. (2014). Incremental proxy re-encryption
scheme for mobile cloud computing environment. The Journal of Supercomputing, 68(2), 624–651. doi:10.1007/
s11227-013-1055-z
Liu, Chen, & Zhang. (2010). Secure applications of RSA system in the electronic commerce. International
Conference on Future Information Technology and Management Engineering, 1, 86-89.
Malik, S. U. R., Srinivasan, S. K., Khan, S. U., & Wang, L. (2012). A methodology for OSPF routing protocol
verification. Proc. 12th Int. Conf. ScalCom, 1–5.
Meenakumari & Athisha. (2014). Improving message authentication by integrating encryption with hash function
and its VLSI implementation. Int. J. Innov. Res. Electr. Electron. Instrum. Control Eng.
Murata, T. (1989, April). Petri Nets: Properties, analysis and applications. Proceedings of the IEEE, 77(4),
541–580.
Pushpalatha. (2015). Design and Implementation of hybrid cryptosystem using AES and hash function. IOSR
J. Electron. Commun., 2.
Putri Ratna, A. A., Dewi Purnamasari, P., Shaugi, A., & Salman, M. (2013). Analysis and comparison of MD5
and SHA-1 algorithm implementation in Simple-O authentication based security system. 2013 International
Conference on QiR, 99-104. doi:10.1109/QiR.2013.6632545
Rachmawati, D., Tarigan, J. T., & Ginting, A. B. C. (2018). A comparative study of Message Digest 5 (MD5)
and SHA256 algorithm. Journal of Physics: Conference Series, 978(1), 012116.
Rewadkar, D. N., & Ghatage, S. Y. (2014). Cloud storage system enabling secure privacy preserving third party
audit. Control, Instrumentation, Communication and Computational Technologies (ICCICCT), International
Conference on.
Seo, S., Nabeel, M., Ding, X., & Bertino, E. (2013). An Efficient Certificate- less Encryption for Secure Data
Sharing in Public Clouds. IEEE Transactions on Knowledge and Data Engineering, 26(9), 2107–2119.
Shakya, A., & Karna, N. (2019). Proceedings of the 3rd International Conference on Cryptography, Security
and Privacy. Academic Press.
Shen, J., Zhou, T., He, D., Zhang, Y., Sun, X., & Xiang, Y. (2019). Block Design-Based Key Agreement for
Group Data Sharing in Cloud Computing. IEEE Transactions on Dependable and Secure Computing, 16(6),
996-1010. doi:10.1109/TDSC.2017.2725953
Wei, L., Zhu, H., Cao, Z., Chen, Y., & Vasilakos, A. V. (2014). Security and privacy for storage and computation
in cloud computing. Inf.Sci., 258, 371–386. doi:10.1016/j.ins.2013.04.028
Xu, L., Wu, X., & Zhang, X. (2012). CL-PRE: A certificateless proxy re- encryption scheme for secure data
sharing with public cloud. Proc. 7th ACM Symp. Inf., Comput. Commun. Security, 87–88.
20
Lalit Mohan Gupta is pursuing PhD. in Computer Science from Dr. APJ Abdul Kalam Technical University,
LUCKNOW (U.P.). He did M.Tech. in Software Engineering from Aligarh Muslim University, Aligarh and has more
than 14 years of teaching experience in the field of Computer Science Engineering. Presently, he is working as
an Assistant Professor in Aligarh College of Engineering & Technology, Aligarh in the department of Computer
Science & Engineering. The main research area of Mr. Gupta is cloud computing and information security. He has
published several research papers in national and international peer-review journals/conferences.
Hitendra Garg did his Ph.D. (CSE) at the Motilal Nehru National Institute of Technology, Allahabad, and a Masters
(Software Systems) from BITS-Pilani. He is presently working as an Associate Professor in the Department of
Computer Engineering & Applications, GLA University, Mathura, India. He has a total experience of more than
20 years in the field of academics/research. He has more than 27 research papers in the international journals/
conference of repute. His research areas are image processing, cryptography, 3D data processing, etc.
Abdus Samad is working as an Associate Professor in the Department of Computer Engg., Zakir Husain College
of Engg & Tech, AMU, Aligarh, and having teaching experience of more than 20 years. He is currently serving as
Head of the Section. He completed his PhD at the Dept. of Computer Engineering, AMU, Aligarh in the year 2010.
His research areas include parallel and distributed systems, algorithm design, microprocessor, and parallel system
design. He has supervised PhD as well as M.Tech. dissertations. He has contributed and attended various national
and international conferences in India and abroad, and published papers in reputed journals. He has also delivered
keynote addresses and invited talks in conferences and workshops. Dr Samad is a Member of IE (India), IETE
and also serving as Honorary Secretary of IETE Aligarh Centre. He is also a member of the Curriculum Design
Committee of the University Polytechnic, JMI, New Delhi. He shares various responsibilities in the department
and also actively participated in various positions in the university administration, such as Assistant Proctor, and
Warden of various halls of residence.
21

A Secure Data Transfer Approach With An Efficient Key Management Over Cloud

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Secure Data Transfer Approach With An Efficient Key Management Over Cloud

Uploaded by

Copyright:

Available Formats

International Journal of Information Technology and Web Engineering

A Secure Data Transfer Approach With an

DOI: 10.4018/IJITWE.306917 *Corresponding Author

Figure 1. Proposed cloud server architecture

4. THE PROJECTED MODEL

4.1 Entities in the System

4.2 Procedures for the System

Table 1. The HLPN model’s symbols and data types

Symbols Types Description

Algorithm 1. Procedure for encryption of data file F

Figure 2. File Upload Operation

Figure 3. File Download Operation

Algorithm 2. Decryption process for data file F

Figure 4. File Update Operation

6.1 High Level Petri Nets (HLPNs)

6.2 Satisfiability Modulo Theorems Library (SMT-Lib) and Z3 Solver

Figure 5. HLPN model for proposed framework

Table 2. Relationship between data types and locations

Φ (User) P(F × Ui × Keyi ×C × gid × H )

Φ (CS) P(F × Ui × gid × Key × Keyi × Key ' ×C × H )

R(GenKey ) = ∀y 3 ∈ Y3 } y 3 [3] = gengrpID (y [ 3 ]) ∧ y 3 [4 ] = genk ∧ Y3 = Y3 ∪ (2)

R(EncryptDatafile ) = ∀y 4 ∈ Y4 y 4 [8 ] = Md 5hash(y 4 [1] ∧ y 4 [7 ]

R(DivideKey ) = ∀y 5 ∈ Y5 y 5 [5] = gen _ Keyi () ∧ y5 [6]

R(Sendrequest ) = ∀y 6 ∈ Y6 , ∀y7 ∈ Y7 y7 [3] = y6 [6] ∧ y7 [4 ] =

R(Download ) = ∀y10 ∈ Y10 , ∀y1 ∈ Y11 y11[5]

R(Decryptrequest ) = ∀y12 ∈ Y12 , ∀y13 ∈ Y13 y13 [2]

R(ComputeKey ) = ∀y14 ∈ Y14 y14 [4 ]

R(DecryptCipher ) = ∀y15 ∈ Y15 , ∀y16 ∈ Y16 y16 [1]

6.3 Proof of Properties

Figure 7. Key formation times of various methods

Figure 8. Execution Time for various data files size

Figure 9. Overall decryption times for distinct data file sizes

Table 3. Comparison of key computation times for various schemes

A.N. Khan et al., S. Seo. et al., SeDaSC, Proposed

Figure 10. Uploading Time of various methods

Figure 11. Downloading Time of various methods

A.N. Khan et al., Proposed

You might also like