Security Analysis of a Certificateless Provable Data Possession Scheme in Cloud

He et al. proposed a certificateless provable data possession protocol for big data storage on cloud. They claimed that the scheme is not only secure, but also can achieve data integrity checking without downloading the stored data from the cloud server. However, in this paper, we show that He et al.’s protocol has some security flaw and cannot get the property of data integrity checking at all. Specifically, by observing certificateless signature used in their provable data possession protocol, we find that the cloud server (or any user who gets signature-message pairs) can generate a valid signature of any message. Then, the cloud server can tamper data stored by the data owner and successfully passes the data integrity checking via two different conditions according to the verifier knows or does not know the identity of blocks of data.

[1]  Huaqun Wang,et al.  Proxy Provable Data Possession in Public Clouds , 2013, IEEE Transactions on Services Computing.

[2]  Chengliang Tian,et al.  How to securely outsource the inversion modulo a large composite number , 2017, J. Syst. Softw..

[3]  Fagen Li,et al.  Analysis of a mobile payment protocol with outsourced verification in cloud server and the improvement , 2018, Comput. Stand. Interfaces.

[4]  Guomin Yang,et al.  Probabilistic Public Key Encryption with Equality Test , 2010, CT-RSA.

[5]  Fenghua Li,et al.  Certificateless public auditing for data integrity in the cloud , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[6]  Duncan S. Wong,et al.  Certificateless Public-Key Signature: Security Model and Efficient Construction , 2006, ACNS.

[7]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[8]  Hongjie Chen,et al.  Improvement of an outsourced attribute-based encryption scheme , 2019, Soft Computing.

[9]  Jin Li,et al.  Securely Outsourcing Attribute-Based Encryption with Checkability , 2014, IEEE Transactions on Parallel and Distributed Systems.

[10]  Yongdae Kim,et al.  Securing distributed storage: challenges, techniques, and systems , 2005, StorageSS '05.

[11]  Fagen Li,et al.  IBEET-RSA: Identity-Based Encryption with Equality Test over RSA for Wireless Body Area Networks , 2019, Mobile Networks and Applications.

[12]  Ejaz Ahmed,et al.  A review on remote data auditing in single cloud server: Taxonomy and open issues , 2014, J. Netw. Comput. Appl..

[13]  Reza Curtmola,et al.  Remote data checking using provable data possession , 2011, TSEC.

[14]  Kenneth G. Paterson,et al.  Certificateless Public Key Cryptography , 2003 .

[15]  G. Ravi,et al.  Attribute Based Encryption With Verifiable Outsourced Decryption , 2014 .

[16]  Yu Chen,et al.  Auditing for Data Integrity and Reliability in Cloud Storage , 2015, Handbook on Data Centers.

[17]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[18]  Hongjie Chen,et al.  An Efficient Deniable Authenticated Encryption Scheme for Privacy Protection , 2019, IEEE Access.

[19]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[20]  Fagen Li,et al.  Identity-Based Public Verification with Privacy-Preserving for Data Storage Security in Cloud Computing , 2013, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[21]  Matthew Green,et al.  Outsourcing the Decryption of ABE Ciphertexts , 2011, USENIX Security Symposium.

[22]  Huaqun Wang,et al.  Identity-Based Distributed Provable Data Possession in Multicloud Storage , 2015, IEEE Transactions on Services Computing.

[23]  Xiaowei Yang,et al.  Identity-Based Remote Data Integrity Checking of Cloud Storage From Lattices , 2017, 2017 3rd International Conference on Big Data Computing and Communications (BIGCOM).

[24]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[25]  Sherali Zeadally,et al.  Certificateless Public Auditing Scheme for Cloud-Assisted Wireless Body Area Networks , 2018, IEEE Systems Journal.

[26]  Kim-Kwang Raymond Choo,et al.  Privacy-preserving certificateless provable data possession scheme for big data storage on cloud , 2017, Appl. Math. Comput..

[27]  Elaine Shi,et al.  Practical dynamic proofs of retrievability , 2013, CCS.