2760 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO.

10, OCTOBER 2014

Short Papers
On the Security of an Efficient Dynamic well maintained in the cloud, while the data has already been cor-
rupted. In this attack, the information that the adversary needs to
Auditing Protocol in Cloud Storage
possess is how data are modified, instead of the content of the data
or any data tags. We then give a solution to fix the problem without
Jianbing Ni, Yong Yu, Yi Mu, Senior Member, IEEE, and sacrificing any desirable features of the original protocol.
Qi Xia
Abstract—Using cloud storage, data owners can remotely store their data and 2 REVIEW THE PROTOCOL
enjoy the on-demand high quality cloud services without the burden of local data
storage and maintenance. However, this new paradigm does trigger many security The data component M, which is divided into n blocks and each
concerns. A major concern is how to ensure the integrity of the outsourced data. block is further split into s sectors, is the file to be stored in the
To address this issue, recently, a highly efficient dynamic auditing protocol (IEEE cloud. The data component is denoted as M ¼ fmij gi2½1;n;j2½1;s and
Transactions on Parallel and Distributed Systems, doi:10.1109/TPDS.2013.199) the abstract information of M is denoted as Minfo . Let G1 , G2 and
for cloud storage was proposed which enjoys many desirable features.
GT be three multiplicative cyclic groups of prime order p, g1 and g2
Unfortunately, in this letter, we demonstrate that the protocol is insecure when an
active adversary is involved in the cloud environment. We show that the adversary
be the generators of G1 and G2 . e : G1  G2 ! GT denotes an admis-
is able to arbitrarily modify the cloud data without being detected by the auditor in sible bilinear pairing and h : f0; 1g ! G1 is a secure hash function
the auditing process. We also suggest a solution to fix the problem while that maps the Minfo to a point in G1 . Here we briefly review their
preserving all the properties of the original protocol. protocol which involves five phases: KeyGen, TagGen, Chall,
Prove and Verify. We skip the parts of dynamic auditing and batch
Index Terms—Auditing protocol, cloud storage, data integrity, security analysis auditing and readers are referred to [4] for the details.
KeyGen()! ðpkt ; skt ; skh Þ. This algorithm takes the security
Ç parameter  as input and chooses two random numbers
skt ; skh 2 Zp . It outputs the public tag key as pkt ¼ gsk
2 2 G2 , the
t

secret tag key skt and the secret hash key skh .
1 INTRODUCTION TagGen ðM; skt ; skh Þ ! T . This algorithm takes the data com-
ponent M, the secret tag key skt and the secret hash key skh as
Cloud storage allows data owners to remotely store their data and inputs. It chooses s random values x1 ; . . . ; xs 2 Zp and computes
access them via networks at anytime and from anywhere. Despite uj ¼ g1 xj 2 G1 for j 2 ½1; s. Then, for each block mi (i 2 ½1; n), it
the obvious benefits such as improved scalability and accessibility, computes a tag ti as
data replication and backup of cloud storage, it also brings new
!
security challenges to the cloud data security. Once the data are out- Y
s
sourced, the data owners relinquish the control over the fate of their ti ¼ hðskh ; Wi Þ  uj mij ;skt
j¼1
data. The server may hide data loss accidents to maintain the reputa-
tion, or discard the data which have not been or are rarely accessed where Wi ¼ FIDki, in which FID is the unique identifier of the
to save storage space [1]. Therefore, it is highly essential for data data component M and i denotes the block number of mi . It out-
owners to check the integrity and availability of the cloud data. puts the set of data tags T ¼ fti gi2½1;n .
Several novel and efficient auditing protocols such as [2], [3] Chall ðMinfo Þ ! C. This algorithm takes the abstract informa-
have been proposed to ensure the integrity of the static data. How- tion Minfo as input. It selects some data blocks to construct a chal-
ever, static storages are far from sufficient for cloud applications. lenge set Q and picks a random vi 2 Zp for each mi ði 2 QÞ. Then, it
The data stored in the cloud may be frequently updated by the picks a random r 2 Zp , computes the challenge stamp R ¼ ðpkt Þr
users, including insertion, deletion, modification, appending, reor- and outputs the challenge C ¼ ðfi; vi gi2Q ; RÞ.
dering, etc. Recently, an efficient auditing protocol [4] was proposed Prove ðM; T; CÞ ! P. This algorithm takes the data component
to support data dynamic operations and batch auditing. This proto- M, the data tags T and the challenge C as inputs and outputs a
col, which employed the data fragment technique and homomorphic proof P ¼ ðTP; DP Þ. The TP is generated as
verifiable tags, is suitable for large scale cloud storage systems since it
enjoys low storage overhead and communication cost. Y
TP ¼ ti vi :
In this letter, we revisit the dynamic auditing protocol in [4] and i2Q
show that there is a security flaw when an active adversary is
involved in the protocol. Specifically, an active adversary is able to P
arbitrarily modify the cloud data and produce a valid auditing To generate the DP , it first computes MPj ¼ i2Q vi  mij for
proof to pass the auditing verification. As a result, this adversary each j 2 ½1; s. Then, it computes DP as
can fool the auditor and the data owner to believe that the data are
Y
s
DP ¼ eðuj ; RÞMPj :
 J. Ni, Y. Yu and Q. Xia are with the School of Computer Science and Engineering, j¼1
University of Electronic Science and Technology of China, No. 2006, Xiyuan Ave,
West Hi-Tech Zone, Chengdu 611731, Sichuan, People’s Republic of China.
E-mail: nimengze@126.com, xiaqi@uestc.edu.cn. Verify ðC; P; skh ; pkt ; Minfo Þ ! 0=1. This algorithm takes the
 Y. Yu and Y. Mu are with the Center for Computer and Information Security challenge C, the proof P, the secret hash key skh , the public tag key
Research, School of Computer Science and Software Engineering, University of pkt andQthe abstract information Minfo as inputs. It computes
Wollongong, Wollongong, NSW 2522, Australia.
E-mail: yyucd2012@gmail.com, ymu@uow.edu.au. Hchal ¼ i2Q hðskh ; Wi Þrvi , and then checks the following verifica-
Manuscript received 11 Mar. 2013; revised 25 May 2013 ; accepted 25 June 2013. Date of
tion equation:
publication 14 Aug. 2013; date of current version 17 Sept. 2014. ?  
Recommended for acceptance by L.E. Li.
DP  eðHchal ; pkt Þ ¼ e TP; gr2 :
For information on obtaining reprints of this article, please send e-mail to: reprints@ieee.
org, and reference the Digital Object Identifier below.
Digital Object Identifier no. 10.1109/TPDS.2013.199 If the equation holds, output 1; Otherwise, output 0.
1045-9219 ß 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 10, OCTOBER 2014 2761

3 ON THE SECURITY OF THE PROTOCOL generate the s and the auditor will run about 1:5 exponentiations to
verify the validation of s. For the communication overhead, the sig-
The auditing protocol described above enjoys the desirable feature
nature s, which is about 320 bits, will be appended to the original
of data privacy, and can be extended to support dynamic auditing
response and sent to the auditor. The storage overhead remains
and batch auditing for multiple owners and multiple clouds [4].
unchanged compared with the original protocol.
Regarding the security of the protocol, three kinds of attacks were
considered in [4]. First, an adversary cannot choose another valid
and uncorrupted pair of data block and data tag ðmk ; tk Þ to replace 4 CONCLUSION
a challenged pair of data block and data tag ðmi ; ti Þ, when it has In this letter, we revisited the dynamic and privacy-preserving
already discarded mi or ti . Second, an adversary cannot forge the auditing protocol for the cloud storage proposed in [4] and demon-
data tag for a data block to deceive the auditor. Finally, an adver- strated that an active adversary can modify the auditing proof to
sary cannot generate a valid proof from the previous proofs or fool the auditor and the owner that the remote cloud files are pris-
other information, without retrieving the outsourced data. How- tine, while the files have been corrupted. We also suggested a solu-
ever, stronger adversaries may exist in the real cloud environment. tion to remedy this weakness without losing any features of the
For example, an active adversary may corrupt or alter the data at original protocol.
his will and also modify the protocol messages in the network in
order to fool the auditor and the owner to believe that the data are
ACKNOWLEDGMENTS
well maintained by the cloud server. Such kind of an adversary
can be a malicious programmer who can plant bugs in the software The authors would like to thank the editors and the anonymous
and network protocols running on the cloud. referees for their valuable comments. The second author was sup-
Assume the adversary modifies each data sector mij to ported by the University of Wollongong VC Fellowship. This work
mij ¼ mij þ lij for i 2 ½1; n; j 2 ½1; s. The information the adversary was supported by the NSFC of China under Grant 61003232, the
needs to record is lij (i.e. how the owner’s data are modified). National Research Foundation for the Doctoral Program of Higher
In the auditing process, the auditor and the server honestly exe- Education of China under Grant 20100185120012, the NSFC of
cute the protocol. That is, in Chall phase, the auditor sends a chal- China for International Young Scientists under Grant 61250110543,
lenge C ¼ ðfi; vi gQ
i2Q ; RÞ to the server. In Prove phase, the server
and the Fundamental Research Funds for the Central Universities
computes TP ¼ i2Q ti vi , and DP  as under Grants ZYGX2010J066 and ZYGX2011J067.

Y
s
MPj
DP  ¼ eðuj ; RÞ REFERENCES
j¼1 [1] Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, “Enabling Public Auditability
Ys P and Data Dynamics for Storage Security in Cloud Computing,” IEEE Trans.
v ðmij þlij Þ
¼ eðuj ; RÞ i2Q i Parallel and Distributed Systems, vol. 22, no. 5, pp. 847-859, May 2011.
[2] H. Shacham and B. Waters, “Compact Proofs of Retrievability,” J. Cryptology,
j¼1
vol. 26, no. 3, pp. 442-483, 2013.
Y
s P
v l [3] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-Preserving Public Audit-
¼ DP  eðuj ; RÞ i2Q i ij ; ing for Data Storage Security in Cloud Computing,” Proc. IEEE INFOCOM,
j¼1 pp. 525-533, 2010.
[4] K. Yang and X. Jia, “An Efficient and Secure Dynamic Auditing Protocol for

and then sends the proof P ¼ ðTP; DP  Þ to the auditor. The adver- Data Storage in Cloud Computing,” IEEE Trans. Parallel and Distributed Sys-
sary intercepts the proof P  ¼ ðTP; DPP Þ on the channel, and modi- tems, vol. 24, no. 9, pp. 1717-1726, Sept. 2013.
Q v l [5] Public Key Cryptography for the Financial Services Industry, “The Elliptic
fies DP  to DP ¼ DP  = sj¼1 eðuj ; RÞ i2Q i ij . It is easy to see that Curve Digital Signature Algorithm (ECDSA),” ANSI X9.62, 1999.
by doing such a simple modification, the adversary derives a cor-
rect proof with respect to the original data blocks mi ði 2 QÞ. As a
result, the modified proof can pass the verification in the auditing
protocol. In this way, the adversary successfully fools the auditor
to trust that the data in the cloud are well maintained, while the
data have been corrupted.
The original auditing protocol is vulnerable to the attack from
an active adversary since it does not provide authentication of the
response, so we suggest employing a secure digital signature
scheme to prevent the proof from being modified. Specifically, in
KeyGen phase, the algorithm outputs additional two parameters
(skS ; pkS ) as the cloud server’s secret/public key pair. In the audit-
ing process, before sending the proof P ¼ ðTP; DP Þ to the auditor,
the server uses its secret key skS to generate a signature s of P and
sends ðTP; DP; sÞ as the response to the challenge. Upon receiving
the response, the auditor first verifies the signature s. If it is valid,
the auditor performs the Verify phase of the original auditing pro-
tocol; Otherwise, discards the response.
It is easy to verify that the fixed protocol still preserves the prop-
erties of the original protocol such as dynamic auditing and batch
auditing. For the performance of the fixed protocol, it is slightly
heavier in computation and communication than the original pro-
tocol, since the server needs to compute a signature s and forward
it to the auditor additionally, and the auditor will perform an extra
signature verification. Taking DSA or its elliptic curve version [5]
as an example, the server needs to perform 1 exponentiation to