1 Introduction

The security of cloud data depends on the trusted public keys. There are several methods to generate a trusted public access key, such as SSL (secure socket layer) and TLS (transport layer security). The TLS is a matured peer to peer communication standard over the web. The reliability of TLS can be reduced by a malicious attack that takes advantage of gaps in TLS use. One such scenario is the public-key infrastructure (PKI) that TLS deploys. A single trusted entity can impersonate any website. Conventionally, a trusted certification authority (CA) validates a public key (TLS PKI) [1]. To issue a certificate of authentication, CA is to verify a binding between an identity and a public key. Unfortunately, due to various reasons, this process does not provide a high level of trust in security. The identity verification is over the internet utilizing the trust on the first use model [2]. For each certificate, this verification takes place once (i.e., per certificate issuance). Therefore, an attacker getting a chance to impersonate a domain for just a limited duration can manage to get a domain authentication certificate. In recent times there is ample evidence that even a single CA can result in a successful impersonation attack [3,4,5,6,7,8,9,10,11]. One of the initial researches suggests preventing such an attack can be done using a new notary system [12]. The driving thought for such an application is to rely on a safer agency, known as a notary. A TLS client refers to a notary for its confirmation about the server’s public key. Hence, the client gets the required authorization of the access key [13]. However, this approach had its limitations, such as TLS clients publish details of computers they want to connect, increase the latency of TLS connections [14]. In this paper, we are presenting SSI, an emerging TLS based service that eliminates several issues of the notary-based authentication systems. SSI is leveraging the properties of a blockchain platform. The proposed method achieves transparency, provides a framework for service-level agreement (SLA) enforcement, and relaxes availability requirements. The recent work of S. Khan, et al. on attack-resilient TLS certificate transparency has motivated further research [15]. A secure transmission on the cost of computation and routing overhead is a problem for 5G/6G. Data privacy in 5G/6G networks is driving a distributed and data reliability model for mobile edge-based sensor-cloud (DDR-ESC) [16]. In another work, the authors suggested using fuzzy logic for a network to protect mobile traveler’s information in IoT [17].

This work is about finding a replacement of TPA with SSI. The proposed cryptographic technique is using a secure data migration to and from the cloud using SSI. In the proposed approach, peer-to-peer transactions can happen without TPA. Next section a detailed literature survey is presented to provide context about this work.

2 Literature survey

Moghaddam et al. [18] proposed a new intelligent migration approach by utilizing an optimized placement method and delaying migration time based on future resource demand prediction. They developed an algorithm that reduces the number of migrations.

The works [19] is on efficient probabilistic public key encryption (EPPKE) optimized with covariance matrix adaptation evolution strategies (CMA-ES). This approach confirms data integrity by using the Luhn algorithm with BLAKE 2b encapsulation. Compared to the existing processes, the outcome is better. Cloud security is a priority of the industry rather than a trend. Till 2019 most of the organizations rely on the security service which their cloud service providers (CSP) offer. The scenario of cloud use has been changed, addition to the security what the CSP’s are providing, most of the organizations are now very keen on building their strong security foundation for their workloads in the cloud.

The survey paper of Masdari and Khezri [20] is relying on migrations using forecasting techniques in cloud computing. Extensive survey and taxonomy of the predictive migration approach adapted for the cloud data centers. In addition, this paper provides a comparison of the predictive migration schemes and future research areas.

Ahmad et al. [21] presented the strategies and methods for transformation to the cloud computing environment from a client–server-based environment. Also, the authors evaluated the existing cloud migration processes and software available from existing cloud system integrators and operators.

Zhao et al. [22] presented a security-service-level-agreement (SSLA)-guaranteed service function chain deployment in cloud-fog computing networks. They proposed a minimal-cost and SSLA guaranteed service function chain (SFC) deployment algorithm to minimize the cost while satisfying the SSLA. The results show that the blocking ratio and the deployment cost of the algorithms are better than that of the existing algorithm when meeting the SSLAs.

For SSI implementation, the decentralized approach of blockchain is an important feature to consider. We explored Kumar et al. [23] work on blockchain and its application. In this paper, the author presented ideas about blockchain technology and its recent applications. Keys offerings are segregated, unambiguous, publicly verifiable ledger of the transactions.

Casino et al. [24] presented an article with a detailed state-of-the-art research study on blockchain implementations. This article discussed a theoretical understanding of numerous research work published during the last decade. The article discussed the different classifications of blockchain systems.

Chaudhry et al. [25] published research on cloud IoT-based sensor nodes and proposed lack-IoT to implement direct device-to-device communication without using intermediate agents. The reliable access control method was found to reduce the computational time and communication cost. Security was provided using either a formal and informal scheme.

Mo et al. [26] considered IoT sensor node reliability in a cloud system. The work was based on graph decomposition vertices for evaluating the K-terminal. The proposed method underlined issues and challenges in IoT data migrated to cloud systems.

Ahmed et al. [27] proposed optimizing energy consumption using genetic algorithms for IoT data migration to a cloud system. The proposed method was compared with existing algorithms and results showed a reduction in energy consumption.

The study by Ghazal et al. [28] provided a review highlighting issues, challenges and solutions for security threats and vulnerabilities when transmitting IoT data to cloud systems. Similarly, the work carried out by Liang et al. [29] presented a detailed discussion of different attacks which lead to trust in IoT devices and cloud systems. The proposed trust model was analyzed theoretically, and the results were positive. Wang et al. [30] investigated the issues associated with data privacy in sensor-cloud systems. This study showed that privacy-based mechanisms associated with communication complexity can reduce bandwidth and storage costs. After this survey, we would like to state that the General Data Protection Regulation (GDPR) imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The basic data protection principles governing GDPR are:

  • Lawfulness, fairness and transparency,

  • Purpose limitation,

  • Data minimization,

  • Accuracy,

  • Storage limitation,

  • Integrity and confidentiality,

  • Accountability.

Further, the study continued for authentication literature in 5G. Patel et al. [31] presented an energy and cost trade-off for computational tasks offloading in mobile multi-tenant clouds. Various policies proposed that 5G enabled cloud can employ to solve the general case. Also, the complexity of this proposed heuristic algorithm is elaborated with performance evaluation to attain high performance.

3 Cloud migration

Cloud migration involves shifting applications and data hosted in a local architecture to a scalable environment in cloud. Cloud migration enables access to services over the internet. There are many clouds migration practices for business enterprises, but all of them possess distinct features and migration methods [32]. The most adopted models for cloud migration are the ‘lift and shift’ and the ‘cloud-to-cloud’. In the context of the present work, we will focus on cloud-to-cloud (C2C) migration with the following key benefits:

  • Scalability as the business demands, they could scale up and down.

  • Mobility users can request the essential service and launch via any connected devices anywhere.

  • Affordability cloud-based services are available at a cheap cost with offerings such as pay-as-you-go.

  • Security transactions across the cloud environment wrapped with strict security measures.

  • Measurability without any shortage or shed-load, it provides measured services as per the business requirements and requests adequate service on demand.

3.1 Cloud migration threats

Although there are numerous benefits for cloud infrastructure, there are several threats as well associated with cloud-based applications and data. The newer versions of a protocol such as TLS are less vulnerable than SSL, but TLS had security issues. The DROWN (decrypting RSA with obsolete and weakened encryption) attack disrupts the secured communication extended by SSL and TLS. As a result, there is a chance of malicious access to secured data from an unsuspecting server [33]. Figure 1 shows the schematic of DROWN. Although the DROWN infiltration does not provide the hacker with the visibility of the reaction of the malicious incident, nevertheless, it can incur damage.

Fig. 1
figure 1

DROWN (decrypting RSA with obsolete and weakened encryption) attack breaks the communication encryption provided by SSL and TLS

Full size image

Since 2011 another form of malicious activity got detected by security experts, which are known as the browser exploit against SSL/TLS, BEAST [34]. BEAST utilizes the cypher block chaining vulnerability in TLS 1.0 to decipher messages. Since TLS 1.0 is now outdated, the chances of BEAST attack is limited to old systems using TLS 1.0. Once in the year 2020 TLS 1.0 is deprecated, the BEAST attack on secured networks will reduce. To avoid such an attack, advice is to use a higher version of TLS. In one of the published articles for 2020 by Acunetix [34], 30.7% of web servers are running with the TLS 1.0 version. This attack will lead to the potential risk of the BEAST attack. There are few more malicious vulnerabilities such as timing attacks, 2013, crime and breach. browser reconnaissance and exfiltration via adaptive compression of hypertext (BREACH) [35]. Lastly, for completeness, it is worthwhile to mention about Unholy PAC malicious incident that occurred during 2016. PAC takes advantage of the limitation of the web proxy auto-discovery protocol (WPAD). The impact of WPAD is that it makes the URL visible, even though the user might be accessing it via a secured tunnel of TLS [36].

3.2 Cloud to cloud migration

C2C migration involves the transfer of information technology-related environment seamlessly from one cloud (source) to another cloud (destination). C2C migration provides an entity to change cloud service providers without the intermediate step of migrating data to an in-house environment [37]. One of the most critical aspects of the selection of a cloud service provider is its capability to facilitate ease of cloud migration. In a multi-cloud data migration scenario, the complications further increase. Currently, there are well-thought processes, capable tools to facilitate C2C data migration with minimum risk. The objective of C2C migration is to leverage the benefits associated with the host environment’s IT infrastructure capability and security. Further, C2C migration aims to achieve benefits such as flexibility, easy service provisioning, and a pay-per-use model [38].

Figure 2 shows a C2C migration. The process of migrating from one cloud infrastructure to another cloud platform involves multiple considerations such as migration of the web layer, application layer, and databases. While migration, there are three types of communication channels that are used. The purpose of C2C is authenticated access by users and trusted third parties to manage and control the C2C migration process. To ensure that there are no mismatches in source and destination cloud capabilities [39]. This channel is required to rehearse migrations multiple times to make sure that everything is successful before doing a production cutover. A detailed migration document needs to be in place for validation with a master migration checklist. The next channel is a dedicated VPN tunnel established for real-time high demand transfers. The VPN is using state of the art routers and standard protocols such as TLS [40]. VPN can be a node-to-node network such as multiprotocol label switching (MPLS) which, employs a range of access technologies like T1/E1, ATM, frame relay, and DSL. MPLS directs data from one node to the next based on a short path. The third channel is the backend replication channel. VPN implemented using an internet access gateway. Mostly archival data, scheduled back up, DR (disaster recovery) data replicated using this channel [41].

Fig. 2
figure 2

Schematic diagram of cloud-to-cloud migration involving a source cloud and a destination cloud environment

Full size image

3.3 Digital identity models

There are three digital identity models—Siloed, third part identity provider, and self-sovereign. Figure 3 shows the comparison of three models.

Fig. 3
figure 3

Three digital identity models—Siloed, third part identity provider, and self-sovereign

Full size image

The first model is Siloed—system issued a digital identity credential to use its facilities. Every user needed a new digital identity credential for every new application. Siloed led to a poor user experience. The second model of digital identity is called the Federated one. In this model, a third-party provider provides user credentials, such as the “Login with LinkedIn” functionality. With this model, LinkedIn became the middleman of trust. The emergence of blockchain technology, decentralized identifiers, and verifiable credentials allowed the creation of a third model of identity: self-sovereign identity.

3.4 Self-sovereign identity model

The data security control is by several applications and services that receive access consent from end-user. This condition is risky because these centralized organizations are increasingly prone to malicious attacks and impersonation [42]. A digital identity consists of information about the online credential of an entity. Self-sovereign identity is an approach to allow online entities to regain control for the authorization of credentials. In essence, this approach to encrypted digital identity data in a cloud hub is to be accessed by an authorized entity. Through this process, an entity can get rid of the need for providing general consent to multiple platforms and applications [43]. One of the benefits is that one can revoke the access credential if there is a trust issue with the application or platform. Following are the prerequisites for the use cases where SSI can be useful:

  • Cloud infrastructure should have a system with a database.

  • Multi-user concurrent update to the database.

  • The users need to trust each other.

  • There is a problem in using the third party provided services. The data transaction for the deployed cloud applications is dependent on each other.

SSI's main aim is to build trust by reducing dependency on mutually trustworthy agents between source and destination. By elimination of the third party in between for validation will enable faster transaction and optimization of audit process and steps. As a tangible outcome, this will lead to cost reduction through the decentralization of the process [44]. Figure 4 shows the updated C2C migration diagram with the replacement of a trusted third party by an encrypted digital hub for SSI implementation. SSI extends traces of malicious activity records for future reference. As can be seen, the digital hub is replicate with each router. SSI streamlines administrative overheads, optimizes the cost of ownership, automated periodical update, and access to any end-user. This approach reduces the risk of man inflicted errors associated with trusted third-party processes [45]. Further, the benefits are bi-directional asynchronous workflow control. An effective wide range of access system key management enables any public keys type and format, highly available, scalable, the reduced cost with automated less complexity backup and recovery process.

Fig. 4
figure 4

C2C migration with encrypted digital hub replacing trusted third party

Full size image

3.5 SSI platform security

Present SSI platform security for C2C migration includes TLS during the communication between peer to peer. TLS communication protocol has evolved from erstwhile SSL protocol [46]. Another critical component of the security platform is encrypting/signing the communication packet of the data while transport data from peer to peer. TLS ensures end to end security. TLS is a complex protocol and includes operations such as transport and session layers. TLS involves cryptography and relies on the X.509 certificate. The PKI framework includes partner authentication, legitimation, and revocation [47]. Another aspect of the TLS protocol is its asymmetrical behavior while communicating between two computers. The server-side computer is responsible for authentication, presents its X.509 certificate, and is highly dependent on the PKI framework. The client-side computer acts anonymously [48]. We propose a public key infrastructure scheme for providing bidirectional authenticated and encrypted communication as well as host-level access controls between services achieved using TLS. With the new approach, both the client and server possess certificates. Mutual TLS extends the server to authorize the credibility of the client before establishing a connection [49]. By including information about a host in its certificate, servers can determine the identity of a requesting server and perform access controls accordingly. For instance, the system can enforce that only servers during C2C migration are allowed to perform the decrypt operations and that these servers may only perform an operation using private keys. Figure 5 shows the proposed SSI based platform security model for C2C migration [50].

Fig. 5
figure 5

Proposed SSI based platform security model for C2C migration

Full size image

Every instance in the proposed platform is with a security certificate. The certificate is either a client or server certificate. The certificates are issued by a certificate authority and have validity as defined by the duration of the C2C migration. Authentication from an encrypted digital hub is using the authentication process [51].

3.6 Rivest Shamir Adleman algorithm (RSA)

Cryptographic algorithms are essential to realizing the data security system. In current work, one of the popular algorithms called Rivest Shamir Adleman (RSA) is using for encryption. RSA uses asymmetric algorithms with the key pair for encryption and decryption. The security key size of the password is critical for the quality of the security of the algorithm. If the security key size is small, there is a higher possibility that the combination of locks can unlock by brute force attack (BFA). BFA uses the steps of assessing the combination of the one-by-one key to decipher the actual key. There are multiple research going on which established that the prime numbers created in the RSA impact the password key size [52,53,54,55]. Figure 6 shows the diagram of RSA algorithm-based Encryption and decryption. The unique part of RSA is that the data encryption is by the public key. To decrypt the private key is required.

Fig. 6
figure 6

RSA Algorithm based encryption and decryption

Full size image

The RSA encrypts data packets using a public key. This process does not require to communicate a separate secret key. Often this process is helpful to sign a message.

3.7 Key generation: algorithm

For an authorized cloud user, it is risky to transmit data without encryption. For secured C2C migration, the use of encryption and decryption is essential. The prime numbers generated by the RSA must be kept confidential. Any breach of trust in sharing the prime number of the data may be prone to malicious attacks such as a chosen-ciphertext attack. While the implementation of RSA, the user creates a public key based on two large prime numbers p and q. Further, an auxiliary value n of the form pq enables enhanced secrecy taking advantage of the modulus switching.

3.8 RSA encryption and decryption scheme

Encryption rule

Ciphertext c can be represented as in Eq. 1.

$$ {\text{c}} = {\text{RsaPublic}}\left( {\text{m}} \right) = {\text{m}}^{{\text{e}}} \bmod \;{\text{n}}, $$
(1)

where 1 < m < n − 1.

Decryption rule

Plaintext m can be represented as in Eq. 2

$$ {\text{m}} = {\text{RsaPrivate}}\left( {\text{c}} \right) = {\text{c}}^{{\text{d}}} \bmod \;{\text{n}}. $$
(2)

Inverse transformation

$$ {\text{m}} = {\text{RsaPrivate}}\left( {{\text{RsaPublic}}\left( {\text{m}} \right)} \right). $$
(3)

Signing

Signature s can be represented as

$$ {\text{s}} = {\text{RsaPrivate}}\left( {\text{m}} \right) = {\text{m}}^{{\text{d}}} \bmod \;{\text{n}}, $$
(4)

where 1 < m < n − 1.

Verification

$$ {\text{v}} = {\text{RsaPublic}}\left( {\text{s}} \right) = {\text{s}}^{{\text{e}}} \bmod \;{\text{n}}. $$
(5)

Inverse transformation

$$ {\text{m}} = {\text{RsaPublic}}\left( {{\text{RsaPrivate}}\left( {\text{m}} \right)} \right). $$
(6)

The inverse transformations for encryption and signing are equivalent, since

$$ \begin{aligned} {\text{RsaPrivate}}\left( {{\text{RsaPublic}}\left( {\text{m}} \right)} \right) & = \left( {{\text{m}}^{{\text{e}}} \bmod \;{\text{n}}} \right)^{{\text{d}}} \bmod \;{\text{n}} \\ & = {\text{m}}^{{{\text{ed}}}} \bmod \;{\text{n}}, \\ \end{aligned} $$
(7)
$$ \begin{aligned} {\text{RsaPublic}}\left( {{\text{RsaPrivate}}\left( {\text{m}} \right)} \right) & = \left( {{\text{m}}^{{\text{d}}} \bmod \;{\text{n}}} \right)^{{\text{e}}} \bmod \;{\text{n}} \\ & = {\text{m}}^{{{\text{ed}}}} \bmod \;{\text{n}}. \\ \end{aligned} $$
(8)

So, we only need to show that the decryption rule works; that is, for (n, e) as defined above, If c = me mod n for 0 < m < n then m = cd mod n, where d is the secret exponent that satisfies the relation ed ≡ 1 (mod φ(n)). In summary, how RSA works funnel down to the fact that for any integer x,

$$ {\text{x}}^{{1 + {\text{k}}\varphi ({\text{n}})}} \equiv {\text{x}}\left( {\bmod \;{\text{n}}} \right). $$
(9)

4 Simulation

A codebase is developed based on the algorithm mentioned in Sect. H. The simulation process involves running the developed code for the following scenarios:

  • Key generation,

  • Encryption,

  • Decryption.

The key configuration parameters considered for simulation are ϕ(n), d, p, q, n, e. Based on Eqs. 1 to 9 the developed code uses the configuration parameters to execute different scenarios.

5 Key implementation

Following Eq. 9 the public and private keys are generated for plain text TIGEQU as shown in Table 1.

Table 1 Generated keys for TIGEQU
Full size table

6 Results and discussion

Table 2 shows the ASCII values post implementation of RAS algorithm and corresponding ASCII values for characters.

Table 2 ACSII vs. encryption and decryption for TIGEQU
Full size table

Figure 7 shows the block diagram for cloud apps' public and private key generation, encryption of data, and session for the applications using the public key. Once the data and sessions are encrypted, the migration can take place using background or foreground replication. The online access key generators publish public keys for authenticated users to do encryption.

Fig. 7
figure 7

C2C migration data and session encryption

Full size image

Figure 8 shows the public key generated for data encryption during C2C migration.

Fig. 8
figure 8

C2C migration public key for data and session encryption

Full size image

Figure 9 shows the private key generated for data decryption during C2C migration.

Fig. 9
figure 9

C2C migration private key for data and session decryption

Full size image

Figure 10 shows the context test data for encryption testing during C2C migration.

Fig. 10
figure 10

C2C migration context data during migration

Full size image

Figure 11 shows the encrypted context test data after encryption testing during C2C migration.

Fig. 11
figure 11

C2C migration context data after migration

Full size image

Figure 12 shows the keys generated using online app.

Fig. 12
figure 12

C2C migration context data using online app

Full size image

Figure 13 shows the validation using online app.

Fig. 13
figure 13

C2C migration online validation

Full size image

Table 3 shows the C2C migration performance using automated SSI authentication and TLS for background replication.

Table 3 C2C migration performance—background replication
Full size table

Table 4 shows The C2C migration performance after setting up foreground replication channel using SSI and TLS.

Table 4 C2C migration performance—foreground replication
Full size table

Figure 14 shows the C2C migrated file size using automated SSI authentication and TLS for background replication.

Fig. 14
figure 14

C2C migration performance for background replication

Full size image

Figure 15 shows the C2C migration time taken using automated SSI authentication and TLS for background replication.

Fig. 15
figure 15

C2C migration background replication—time

Full size image

Figure 16 shows the C2C migration time taken using automated SSI authentication and TLS for foreground replication.

Fig. 16
figure 16

C2C migration performance for foreground replication—time taken

Full size image

Figure 17 shows the C2C migration size of files transferred using automated SSI authentication and TLS for foreground replication.

Fig. 17
figure 17

Foreground replication—file size upload

Full size image

7 Comparative analysis

Table 5 shows the comparison of C2C migration performance using RSA and TLS vs published result [56, 57] using MDM and TPA methods. According to published information, TPA module consumes less time to encrypt and decrypt data compared to the MDM module.

Table 5 C2C migration performance—comparison
Full size table

From the comparison it is evident that SSI based implementation can provide 13.32 Kbps encryption/decryption rate which is significantly higher that TPA method of 1 Kbps.

8 Strength and weakness of SSI method

Following are the strengths and weaknesses of the proposed SSI.

Strength

  • Convenience in use,

  • Cost reduction,

  • Better service delivery,

  • Reduction of transaction time,

  • More secured.

    Weakness

  • Attackers may target the nodes implementing SSI.

9 Conclusion

SSI is a combination of multiple technological breakthroughs that have evolved over the years. Trustworthy secured point-to-point communications across entities and gadgets are on the verge of revolutionizing digital media, daily life, work-life and social life. One of the most pressing problems for digital communication over the internet is authentication problems such as identity theft, phishing, etc. Through mutual cryptographic authentication, achieve the IT audit requirements of the privacy norms. Cloud service providers like Amazon EC2, GoGrid, NephoScale, Google provides API to access and control C2C migration. This paper is more focused on establishing that SSI is a trustworthy approach. The motivation is from the fact that Siloed and IDP models are now obsolete, and the SSI holds the key to a better user experience. A TPA-based security service over the cloud has its challenges. During the recent COVID-19 pandemic, the same surfaced explicitly as available resources are scarce. With the overwhelming progress for cloud-based services, there is a demand for a semi to fully automated SSI implementation to reduce cost and TPA dependencies. With this background, it’s essential to manage cloud data strategically and provide the required protection. Each stage of the C2C migration process demand to be secured. This work is an attempt to replace TPA with SSI. A cryptographic technique for secured C2C migration using SSI was implemented. SSI is used to facilitate peer-to-peer transactions without the need for TPA. Post-implementation, we have analyzed the C2C performance and found in most of the replication scenario (background or foreground) is achievable. Mathematically computed encrypted and decrypted ASCII values for the word “TIGEQU” matched the output by the algorithm. Also, the keys generated using the algorithm are validated with an online validator to ensure the correctness of the access key generation of the algorithm. From the result of the implemented algorithm, it is proved that SSI based implementation can provide a 13.32 Kbps encryption/decryption rate which is significantly higher than the TPA method of 1 Kbps. SSI proposes sovereignty for the individual not in the issuance but the management of their identity and reduced TPA dependencies. We can conclude that RSA based mutual TLS can be a candidate for SSI based C2C migration for reduced cost and a highly safe environment. We recommend optimized RSA based automated certificate services driven by the latest standards. This approach will eliminate the risks associated with proprietary and outdated interfaces in premises or cloud environments and create a cost-effective homogeneous C2C migration environment.

10 Future

The use of SSI based data migration is in the early stage of adoption but has great potential. This is because the approach enables sovereignty for individuals over their digital assets and credentials. The portability of digital documents like certificates, passports, property titles, and digital wallets using mobile apps will become more trustworthy because of the non-mediation of a TPA. The basic essence is to prove the ownership, the owner does not need to reach out to the issuer to verify them. Another evolving area is the integrated security approach with 24/7 cloud security monitoring. Organizations need today to protect their data and users in real-time. Cloud security providers that can comply with GDPR, the toughest privacy and security law in the world will be in high demand over the coming years.