홈으로ArticlesAll Issue
ArticlesA Secret Sharing-Based Distributed Cloud System for Privacy Protection
  • Tae Woo Kim1, Abir EL Azzaoui1, Byoungsoo Koh2, Jaesoo Kim1, and Jong Hyuk Park1,*

Human-centric Computing and Information Sciences volume 12, Article number: 20 (2022)
Cite this article 1 Accesses
https://doi.org/10.22967/HCIS.2022.12.020

Abstract

Based on the rapid development of cloud, Internet of Things (IoT), and wireless networks, smart cities have been able to develop exponentially faster. The convergence of cloud computing and IoT net-works has accelerated the development of smart environments such as smart cities and smart homes. However, the expansion of smart cities generates a large amount of data which created numerous issues in the cloud, including big data processing, storage, security, and privacy. This paper proposes a multi-cloud system to which data distribution sharing is applied. The proposed system applies a data distribution sharing algorithm that distributes and stores data by applying secret sharing or interplanetary file systems depending on the type of data. Since data is divided and stored in distributed cloud storage, data can be safely protected in case of a cyber-attacks or single point of failure on one cloud storage. In addition, we apply one-time password protocol (OTIP) algorithms to secure data communication. OTIP is a one-time password-based IP address modification algorithm that continuously changes IP addresses for secure data communication. Finally, we prove the necessity of the proposed cloud system through qualitative analysis and simulation.


Keywords

Secret Sharing, InterPlanerary File System, One Time Password, Data Distribution Sharing, Data Management


Introduction

Modern information technology is evolving exponentially faster and affects various industries than expected. Wireless network technology has evolved to enable fast and stable networking, which contributes to the large scale of smart environments, including the Internet of Things (IoT). This is actively used in multiple networks and environments such as homes, hospitals, and farms by configuring IoT networks along with wireless network technology and can be used for large-scale services such as smart cities with the development of cloud computing that can access services anytime, anywhere through the internet [1, 2].
The smart city is capable of efficiently managing resources based on data by utilizing digital technologies including big data, artificial intelligence (AI), IoT, and blockchain in various areas such as transportation, environment, and quality of life. Smart cities improve the quality of human life by creating an interconnecting network to respond to users’ demands and needs in a short amount of time [35]. Currently, multiple states of art are addressing the development of smart cities, their applications, and critical issues and possible solutions.
However, contrary to smart city convenience, IoT devices essentially acquire private data from various users, these personalized data are stored and utilized in the cloud to provide intelligent services to users [6]. However, the issue with this method is the exposure of personalized data to multiple possible cyber-attacks such as intermediate attacks, data hijacking, and sniping during data transmission. This poses a very serious security threat from the user’s point of view as secondary and tertiary damage through the user’s personal information can occur after the attack [7, 8]. Users’ personal information is exposed to intelligent persistent threat attacks aimed at cloud storage itself as well as the process of data transmission [9]. In addition, cloud storage should be prepared for physical problems such as distributed denial of service attacks that interfere with normal services, natural disasters that can occur in cloud storage centers, and terrorism [10].
On another hand, the deployment of interplanerary file system (IPFS) scarcely is not a feasible solution. Relying on IPFS alone consumes more bandwidth, which is not appreciated by the network users. Moreover, IPFS systems tend to be used merely by tech savvy, the thing that create a shortage of nodes in the network. Although the encryption method usually deployed by IPFS is known to be lightweight, it does not offer the required privacy level as the content is not encrypted, which means that the information is secured during the transmission time, however, it can be viewed by a third party if they succeed in downloading it and have the CID. Simply encrypting the content before adding the IPFS to the network is not suitable solution as well. Once the data is obtained by a third party, brute force attack can be conducted successfully, which put the sensitive data and private information at risk.
Moreover, with the continuous growth of IPFS, it can be used as training data for advanced machine leaning algorithm that can detect the pattern used to create the passwords, it is necessary to note that the attacker does not brute force each character in the string, instead, he will brute-force words, thus, poorly secured files are at higher risk of losing data. On top of that, since IPFS uses SHA-256 hashing algorithm by default, and with the fast development of Quantum computing and algorithms, a fast and scalable computation of possible matches of the original string can potentially crack the hash billion times faster than classical methods, which was theoretically proven using Grover’s algorithm [11]. Thus, revealing sensitive data and information. In this case, using secret sharing to distribute the key and information is the most feasible and cost effect solution. Even if 1 node was successfully hacked, the information shall not be fully recovered by the attacker.
Other solutions suggest creating a private network to share data between nodes that have obtained the access right, however, if an attacker successfully managed to manipulate previously authorized node, they can use the authorization to view all the shared files in the private network and participate as well with wrong data.
To this end, this paper divides the load between secrete sharing techniques and IPFS to increase the security and improve the scalability of the network. And in order to enhance the security and privacy of data, OTP-based internet protocol is deployed to automatically change the IP address. Using this solution, even if the attacker managed to get the IP, they cannot successfully access the data as the IP address changes continuously.
In this paper, we propose a cloud system with data distribution sharing. The proposed cloud system performs data communication using aone-time password (OTP)-based Internet protocol in data communication between each layer. This ensures secure communication between layers and provides security against network sniffing and intermediate attacks because IP changes periodically. We also apply a data distribution sharing algorithm that distributes and stores data by applying secret sharing or IPFS depending on the type of data between the fog layer and cloud layer. Since data is divided and stored in distributed cloud storage, data can be secure from centralized attacks. In addition, since sensitive data is distributed and stored through secret sharing, data can be recovered in case of data loss, which is highly scalable and secure.
The following points summarize our main research contribution:

We propose a data distribution and sharing system on a cloud system to prevent centralized attacks as data and user information is securely divided between multiple cloud systems.

We deploy anOTP encryption protocol to secure data communication between multiple layers in the proposed architecture. The proposed OTP is secure against network data sniffing and intermediate attacks.

Based on the type of data communicated between the fog layer and cloud layer, we apply a secret sharing system or IPFS. Our proposed architecture proves the perfect security of data communication in a smart city environment.

The rest of our paper is organized as follows. In Section 2, we discuss the requirements for secure data management in the cloud and analyze existing studies. Section 3 introduces the proposed cloud system with data distribution sharing and its respective details algorithms. Subsequently, in Section 4, a comparative analysis is conducted by dividing the cloud with the existing data storage method and the cloud with the data distribution sharing algorithm into security and performance aspects. Finally, we simulate the proposed solution based on quantitative and qualitative analysis and discuss the output results given security, privacy, and scalability.


Related Work

In this section, we introduce a basic explanation of the proposed core technology of data distribution sharing-based cloud systems and present the requirements for secure and efficient data management and storage in cloud systems. Finally, various related studies conducted to mitigate these requirements are presented.

Core Technology
Secret sharing
Secret sharing is an algorithm proposed by Shamir that divides information into several pieces and stores those [12]. This algorithm is called Shamir’s (k, n). It encrypts the information by dividing it into n pieces. More than k pieces are required for decryption. The basic principle is that in a quadratic function graph, any value in a graph is used as a secret key, and n authenticated participants share any coordinate value contained in the graph [13]. The graph used as the secret key cannot be specified as the coordinate value of each authenticated participant, but if the coordinate value of more than a certain number of participants is known, a graph used as the secret key can be obtained [14]. However, the existing method has the disadvantage of being able to specify the graph by acquiring the coordinate values of some participants, which can lead to loss of confidentiality. To solve this problem, in a real environment, a method of sharing a secret key based on a linearly coupled polynomial operation with an attacker is used to distribute and store the contents of the data to multiple computers using a converted hash value. Because all shared secrets have equal importance, it is difficult to divide according to security ratings when sharing secrets, and when recovering secrets, malicious participants provide contaminated values, making it impossible to confirm whether they have been properly recovered. However, with the development of cloud-based distributed data storage and blockchain networks, active research on secret sharing has recently been actively studied.

Interplanetary file system
IPFS is a protocol and network environment designed to create a peer-to-peer (P2P) method that addresses content that stores and shares hypermedia in a file system [15]. IPFS saves transmission volume through distributed content transmission when connecting IT devices in the network to the same file management system and transmitting large-sized data. This has the advantage of improving data throughput compared to conventional data transmission methods. In addition, if there is no single error point, access can be made in various ways, including FUSE and HTTP, in that there is no need to trust each other if directly connected nodes are excluded. Because IPFS stores that information by numerous decentralized nodes, users can store and import data at a much faster rate than traditional methods by using IPFS [16].
IPFS can reduce the existing bandwidth cost by more than 60% by delivering high-capacity files quickly and efficiently. In addition, hash tables are used to ensure the integrity of data, and distributed storage can be efficiently used by verifying the duplication of files. However, basic IPFS has a problem that there is no encryption mechanism, so some information on data stored in IPFS may be exposed if the storage is exposed to attackers, and even distributed data may not be recovered if the storage is lost.

One-time password
OTP is an authentication technology that uses a method that changes every cycle according to a random number commitment algorithm, preventing attackers from estimating passwords [17]. Since passwords are generally used for disposable purposes, they cannot be reused even when exposed to attackers. OTP mainly used the S/KEY method generated using a hash chain. However, with the recent development of smartphones and IoT equipment, the time synchronization method in which clients and servers generate OTP values based on a set time and the event synchronization method in which counter values are increased according to events are mainly used [18]. OTP certification is applied as part of two-factor certification in many services, mainly finance, telecommunications, and login systems, and research is underway to strengthen data integrity by applying OTP to communication lines.

Existing Research
Multiple states of art have studied the convergence of secret sharing with IPFS for distributed cloud systems, however, security issues and privacy were not the main targets for those papers. Novel algorithms and architectures are required for secure and efficient data management and storage in cloud repositories to protect users’ personal information and prepare for possible and various security attack scenarios.
Gutuband Al-Qurashi[19] proposed a block flip sharing process that applied count-based secret sharing to secret keys to enhance password confidentiality. They also conducted a research on secret sharing creation algorithms for new smart expansion models. They are focusing on expanding counting-based secret sharing techniques to create more sharing for handler services [20]. It has conducted various studies on secret key sharing algorithms to secure the confidentiality of personal information. Ra et al. [21] proposed a key recovery system that applied a password-protected secret sharing algorithm to store keys in the public blockchain. This is an algorithm for keys on a server that manages and recovers keys. Secret sharing algorithms can defend against key exposure to malicious attacks. The related paper studied how to distribute and store keys and blockchain keys for encryption through algorithms based on secret sharing. This shows that keys can be managed safely and effectively through secret sharing algorithms.
Cha et al. [22] proposed a secret sharing algorithm system using a blockchain to solve privacy issues for external cloud services. The proposed system architecture fragmented the user’s personal information through a secret sharing algorithm in a cloud service provider and managed the information using a blockchain. This provides faster transaction speed and security than traditional architectures. Yuan et al.[23] proposed an approach for data transfer security that combines secret sharing algorithms with software-defined networking (SDN) technology. Data stability was secured by utilizing SDN’s advantages in network management and scheduling and applying a (k, n) secret sharing mechanism. As a result, it significantly reduces the success rate of network attacks and provides data integrity. Choi et al. [24] proposed server-based distributed storage that uses secret sharing with AES-256. Distributed storage stores data using a secret sharing algorithm or AES-256 encryption depending on the importance of the data. It is lighter and more stable than a typical data storage algorithm. They applied secret sharing algorithms to enhance the security of data. However, although we have secured data stability, we have not considered large-scale data, or we have applied traditional general encryption algorithms.
Biswas et al. [25] proposed a secure electronic file management architecture with IPFS. They studied how to safely store and process large-scale data according to the spread of data communication following the recent spread of COVID-19. As a result, IPFS has been applied to prove that large-scale data can be effectively managed. Ortega and Monserrat [26] proposed a distributed network using the IPFS. The proposed network applied IPFS for content address networking and P2P connections, which is a technology that can balance performance and security. They applied secure storage and efficient processing of data in multiple systems through IPFS. However, there is a problem that IPFS cannot load data if even some data is wrong [27]. To this end, the distributed hash table (DHT) of IPFS must be safely managed.
A study was conducted to apply blockchain for DHT management. Kumar and Tripathi [28] proposed a blockchain-based framework using a blockchain that can address content in a P2P model based on the IPFS. This framework stores files in IPFS and addresses addressable content (hash) for the blockchain as a transaction. This has the advantage of being able to quickly store/import data through IPFS by using addressable content as a transaction on the blockchain. Al Mamun et al. [29] propose a file distributed storage framework that combines IPFS and blockchain for the electronic medical record (EMR) of the medical community. The distributed storage framework for EMR is effective as it can quickly and safely store patients’ medical records. When applying the blockchain, DHT’s integrity can be verified, enabling safe data loading.
On another hand, Tian et al. [30] proposed a privacy preserving solution for social IoT against potential leakage during the mining process. The authors deployed Brakerski-Gentry-Vaikuntanathan homomorphic encryption algorithm, all while maintaining the required efficiency and reliability. Xiong et al. [31] discussed the problem of data sharing between vehicles without encryption. The solution proposed in the paper to create an edge-assisted privacy preserving convolutional neural network. The framework was tested using VGG16 model. The results show a performance improvement in communication overhead and computational cost. However, some errors were detected during the simulation but declared as negligible by the authors. Deng et al. [32] proposed a system for security of outsourced image sharing systems where illegal distributers can be detected. Using the image authentication information, a user can easily detect and identify the identity of the illegal distributer. This method can be used for intellectual property and ownership trackability in a shared IPFS datafiles.

Requirements of Secure Cloud System
The primary considerations of the proposed architecture are depicted as follows:
Confidentiality: IoT systems store data collected by IoT equipment in the cloud. Therefore, many attackers target cloud storage to get data such as users’ personal information. If data from the cloud store is leaked through an attacker or malicious insider, all information, including the personal information of various users, can be exposed. Therefore, cloud storage must either use encryption technology to prevent attackers from verifying the data or split the data and physically store it in another storage.
Integrity: The cloud uses data communication channels to store data collected by IoT devices in cloud storage. Data should not be illegally modified data transmission. And in the processing of data, only authenticated users can modify or delete data. In addition, an attacker can change the system information of IoT equipment and use it as a malicious node, or it can be used as an outpost node for intermediate attacks. To ensure data integrity, it is important to ensure that the user who wants to modify the data is an authorized user. It also requires technology to check and cope with data changes without permission.
Availability: The importance of cloud storage in IoT environments continues to be important. Cloud storage delivers the data requested by the user. In addition, the development of machine learning models using stored big data can provide smart services to users. Intelligent persistent threat attacks targeting cloud repositories that store a lot of information are increasing, and there is a possibility of failure due to physical reasons such as natural disasters, fires, and power outages. Failure to store and manage information can be a system-wide failure. In addition, if data stored in the cloud is damaged, smart services cannot be provided to users or incorrect services are provided. In other words, cloud storage should keep data safe, and even if cloud storage fails, the service should be able to operate normally.
Privacy: Cloud systems cause privacy problems in the process of collecting, transmitting, and storing all data using IoT devices. Privacy is very sensitive and important information because it is closely linked to an individual’s life, property, and social situation. If personal information is leaked, users are threatened with property damage, identity theft, or a user’s life. In addition, personal information can cause additional damage such as illegal financial transactions and impersonation of acquaintances. Privacy data can be leaked during data communication, and sometimes data stored in the cloud can be exposed. Therefore, private data should not be exposed in the process of data communication, and data should be stored using technologies such as encryption and data fragmentation.
Efficiency: Only when cloud efficiency is guaranteed can users expand and use the cloud at any time. The modern cloud provides the necessary resources according to user needs through virtualization technology. Users can expand or reduce resources at any time. However, large-scale cloud systems have recently been proposed and services have been diversified. In this process, data traffic problems arise in the expanded cloud. As traffic increases, unnecessary user access wastes resources and makes the cloud heavy. The cloud must show efficiency as it expands in size.


Proposed Data Distribution Sharing Cloud System

This section describes the proposed core technology of data distribution sharing-based cloud systems and presents the requirements for secure and efficient data management and storage in cloud systems. Finally, various related studies conducted to mitigate these requirements are presented.

Design Overview
The cloud system based on data distribution sharing consists of IoT layer, edge layer, fog layer, and cloud layer as depicted in Fig. 1. The IoT layer consists of numerous IoT devices that make up the smart city. IoT equipment collects information from the network through sensing. In this case, the personal information of the user may be obtained according to the device. Therefore, the basic security policy for the IoT device itself must be maintained, and the data must be security processed and stored at the upper layer. The edge layer is used to control and manage IoT devices in a certain area. Because one-time password protocol (OTIP) is applied between IoT device and edge node, the IoT device link table is maintained. It provides a secure data channel in which IP changes periodically between IoT and edge nodes through the information in the table. Additionally, information collected by IoT devices is delivered immediately according to the type of data, or data is collected for a certain period to deliver data sets.
Fog layer configures edge link table for secure communication with edge layer. To distribute and store data in the cloud layer, data is sent to the cloud according to the data distribution sharing algorithm. It also serves to collect data distributed stored in the cloud for data delivery requested by users. Finally, the cloud layer consists of multi-cloud with different locations and configurations of storage, and provides multi-cloud, allowing certain clouds to perform cloud and processing services normally in case of cloud paralysis caused by natural disasters and cloud infection by attackers. In addition, sequence based OTIP is used to store distributed data in the fog layer. Since this applies sequence information of distributed data to OTIP, it is possible to verify whether the split data transferred to the cloud is normal.

Fig. 1. Proposed data distribution sharing cloud system.


Data Distribution Sharing Algorithm
Data distribution sharing algorithm is an algorithm for dividing data storage, which distributes and stores data by applying secret sharing technology or IPFS technology depending on the type of data. Fig. 2 depicts the secret sharing and IPFS algorithms for data distribution.

Fig. 2. Basic secret sharing and interplanetary file system techniques.


In the case of secret sharing, data is divided into fragments through mathematical algorithms. Thereafter, the pieces of data are stored in each storage device. The characteristic of secret sharing is that all fragmented data is unique and equivalent. Secret sharing can only recover data in a certain number of pieces. Therefore, it cannot be recovered when a small number of attacker nodes import data. Secret sharing has excellent data integrity and data stability as it can recover data if it has more than a certain number of pieces of data even in case of partial data loss. However, because mathematical techniques are used, with larger the size of the data, more resources and time it takes to divide the data.
IPFS divides data according to size and stores it in each storage device and generates a data session key to retrieve fragment data. IPFS is an algorithm produced based on a P2P system. IPFS works by rapidly importing data distributed stored in multiple clouds using hash values that convert the contents of the data and then combining them into one. At this time, key/value pairs of data are stored in the hash table. IPFS is fast in terms of speed as it can deliver data session keys to each cloud and retrieve distributed data at once. However, there is a problem that data decryption may not be possible if there is no data session key or some of the distributed data is lost.
Fig. 3 shows the flowchart of the data distribution sharing algorithm. The algorithm’s method is as follows:
1. Classify data according to the type of data: Data can be divided into system information such as IoT devices, Edge nodes, etc., privacy information, which is sensitive to users, and general data that is relatively non-sensitive, such as temperature, brightness, and transportation. System information and user privacy information should always be kept safe regardless of the change and size of the data. Therefore, data is distributed and stored by applying the secret sharing algorithm.
2. Data storage types: General data is stored differently depending on how often the data changes. Frequently changed data can be encrypted and stored using a general cryptographic algorithm because it can continue to use a distributed algorithm to generate a processor load.
3. Statistic data storage: Data that does not change frequently is stored differently depending on the size of the data. When the size of the data is large, it is efficient to divide and store the data. The information is distributed and stored through an IPFS algorithm, and the data session key is stored using a secret sharing algorithm.

Fig. 3. Flow chart of the data distribution sharing algorithm.


Algorithm 1 shows the algorithm of data distribution sharing. Data information such as data, data type, and data size are entered and divided into secret sharing, IFPS, and encrypt steps depending on the data type. Algorithms classify data by defined policies. Security managers can modify policies according to internal and external circumstances.

Algorithm 1. Data distribution sharing algorithm
Defind: Importance policy, Size policy
Input: Data, Data.D_type, Data.D_size
Output: SEncrypted data or distributed data collection S, D
if Importance policy.critical( ata.D_type ):
  Temp Data linearization(Data)
for n inData.D_size do:
    S[n] Secret sharing(Data, Data.D_size, n)
return S
  * Distributed data collection S
else if Importance policy.sensitive( Data.D_type ) && Size policy( Data.D_size ):
for n inData.D_size do:
    key IPFS_Initialization(Data)
    D[n] IPFS(Data, Data.D_size, n)
return D
    * Distributed data collection D
for n in key .k_size do:
    S[n] Secret sharing(key , key.k_size, n)
return S
    * Distributed IPFS Key collection S
else:
  S Data Encrypted(Data, Data.Dsize)
returnS
* Encrypted data S
In the Secret sharing step, data is linearly initialized to apply secret sharing, and the secret sharing algorithm is performed according to the size of the data. The information is distributed and stored across multiple clouds. This data can be recovered even if some data is lost. In the IPFS step, large-sized data is divided using the IPFS algorithm. The data is loaded at once using the session key, which is fast. But if there is a problem with some of the distributed data, it cannot be retrieved back. In addition, if session key data is exposed to attackers, data may be stolen. Insignificant data can be a target for secondary attacks by inferring user information from large-scale data. Therefore, the session key is security protected through secret sharing. Finally, the Encrypt step applies to general and constantly changing data. The data is simply encrypted through cryptographic algorithms and stored in the cloud. Depending on the importance and size of the data, it can be encrypted by applying secret sharing and IPFS at the next storage.
Data distribution sharing algorithm is highly secure, when secret sharing is applied to the information types of secret sharing and IFPS users, data cannot be exposed using only pieces of data obtained during cyber-attacks. The IPFS algorithm has the advantage of being advantageous in terms of speed because when data is retrieved, distributed data is retrieved at once, and stability is guaranteed because data session keys used for import are stored through secret sharing. Therefore, it is effective in that it can secure confidentiality and availability for sensitive data and efficiently store/load large-scale data.

Methodological Flow of the Proposed System
The device delivers the user’s sensitive information to the edge node. When delivering, it safely delivers data using a predefined OTIP. This work is done in the same way at the edge node and the fog node. Edge nodes and fog nodes manage OTIP tables in the sub-layer for the smooth use of OTIP. The proposed OTIP algorithm can use IP communication within a specified range by utilizing the event-based one-time password mechanism and the logical operation of the subnet mask when data communication is required. The OTIP algorithm defines a specified virtual IP range and subnetmark for data transmission, and periodically uses the OTP value generated by the OTP generator and the subnet mask to create a new virtual IP address in the specified virtual IP range through a logical operation such as Equation (1).

Next IP Address = OTP Generator ∥SubnetMask⊕ Current IP Address (1)

In addition, HMAC-SHA-1 hash algorithms with fast operation speed can be used to generate OTP, and new IP can be generated at a high speed by proceeding with the entire logical operation for the IP address value. OTIP has the advantage that packet analysis through network sniffing is more difficult than conventional communication channels due to continuous changes in communication IP addresses. In addition, intermediate attacks and spoofing attacks can be effectively defended.
Fog node uses a data distribution sharing algorithm depending on the type of data. In the sequins diagram, the user’s sensitive information is divided into S_0 to S_n fragment using secret sharing. Afterward, the data fragment generates a sequence number that combines each unique value and cloud information and delivers it to each cloud through OTIP to which sequence is applied. This work uses OTIP to maintain data confidentiality and integrity during communication, and in the final stored cloud, OTIP with unique values of data and sequences using cloud information can protect the storage of incorrect data


Analysis and Discussion

This section provides the results of analyzing the proposed architecture. The analysis consists of two sections: experimental setting, and performance analysis. In the performance analysis, a comparative analysis is conducted with a general system.

Experiment Setup
This subsection provides a comparative analysis of the proposed general cloud system and the cloud system with the proposed data distribution sharing algorithm. The simulation environment is a cloud model consisting of 7 IoT nodes, 2 fog nodes, and 4 cloud nodes. The experimental environment was constructed by summarizing each core communication section of the proposed architecture. The cloud utilizes a cloud repository divided into four, and data is stored in a random cloud repository. The analysis process was performed using “Network Simulator 3” tool on Ubuntu 20.04.3 LTS environment. We conduct the performance evaluation of the cloud and general cloud proposed in this section. We configured 1 fog node and 3 clouds to evaluate the performance of data communication between the fog node and the cloud repository in the simulation. The maximum transmission unit (MTU) was set to 1500 according to the general network criteria. The data types are 60% general data, 20% sensitive data, and the remaining 20% private data, and the simulation aims to transmit 100 random data. We simulated data of 500 bytes to 2 kB size and data of 50 kB to 100 kB size, and the results of the experiment are shown in Figs. 4 and 5. To confirm the security and safety of the data communication process of the proposed architecture, general data communication and comparative analysis are conducted in terms of performance and security.

Fig. 4. Simulation results of small-sized data transmission.


Fig. 5. Simulation results of large-sized data transmission.


Performance Analysis
Fig. 4 is a comparison of the packet processing time of small-sized data. In the case of small-sized packets, sensitive data and normal data show similar processing speeds. However, in the case of private data, the proposed system applies secret sharing, so the calculation process takes time. Data below 2 kB shows a processing time of about 10% slower than normal data.
Fig. 5 shows the comparison of packet processing rates of large-sized data. Privacy data spend more time than normal systems because it applies secret sharing to large data. The simulation shows that the processing time increases by about 30%. In the case of data, the processing time increases by 8% due to a delay problem in the algorithm. However, for general data, it can be seen that the IFPS algorithm is applied, reducing the data processing time of the general system by 40%.
Compared in terms of performance, in the case of small-size data, it can be seen that the proposed system and the general system are almost the same. However, if large-sized data is processed, privacy data has confirmed that processing speed slows down due to processing problems. However, in terms of security, there is an advantage of being able to manage data relatively safely. In the case of general data, it was confirmed that the processing time was much reduced compared to the general system (Table 1).

Table 1. Simulation environment comparison
System CPU RAM Number of cloud node Number of fog node Number of IoT node
General system Intel Core I5 10400 6 GB 4 2 8
Proposed system Intel Core I5 10400 6 GB 4 2 8


Security Analysis
In the process of data communication between the fog node and the cloud repository, we investigate the security of man-in-the-middle (MITM) attacks and network sniffing. The experimental environment consists of 8 IoT devices, 2 fog node, and 3 clouds. MTU was set to 1500 as in a typical network environment. The data types are 60% general data, 20% sensitive data, and the remaining 20% private data. The simulation aims to transmit 100 random data. The size of transmitted data is 500 bytes to 2 kB.
Sniffing attacks proceed in the process of sending data from 7 IoT device nodes to 2 fog nodes. For a smooth simulation, the attack resumes every 30 seconds. This paper presents a solution to prevent the attacks by changing the IP address every 5 seconds. Thus, once the attack starts at second 0, in the second 5 the IP changes, and the attack fails at the first try after changing the IP. Adding the time where the attacker will detect the new IP and try to perform a new attack results in 30 seconds. Thus, failing the first attack trial at second 5, the attacker tries again at second 30, but at second 35, the IP changes automatically and periodically using the proposed OTIP algorithm, and the attack fails. In this case scenario, and based on our experiment, the attack will hardly last for a few seconds before it fails and restart again.
The results of the network sniffing simulation are shown in Fig. 6. In the case of a general system, if the sniffing attack is successful, it can be seen that the attack is continuously performed, and the data is exposed. The proposed system can see that the attack fails if the IP changes to the OTIP algorithm. Even after restarting the attack, the IP address is changed again, thus, failing the attacker. In addition, as for important data, even if the data is sniffed due to the application of a secret sharing algorithm, the attack fails because the data cannot be viewed.

Fig. 6. Simulation results of network sniffing attacks.


Table 2 depicts the success rate of attacks by data type in case of network sniffing attacks. Normal systems allow an attacker to spy on all data while sniffing is in progress, if the sniffing attack is successful. However, in the proposed system, private data cannot be viewed, and the probability of confirming general data is 6% and sensitive data is 3%. In particular, private data to which the secret sharing algorithm is applied cannot be acquired even if an attacker acquires a packet. Attackers cannot check important data such as personal information or security policies of IoT devices.

Table 2. Success rate of sniffing attacks
System Data type Sniffing attack IP detection rate Successful sniffing Attack success rate (%)
General system Normal 294 291 291 98
Sensitive 112 111 111 99
Private 92 92 92 100
Proposed system Normal 294 25 20 6
Sensitive 112 9 4 3
Private 92 14 0 0
The results of the MITM attack simulation are shown in Fig. 7. MITM attacks proceed in the process of sending data from 2 fog nodes to 4 cloud nodes. For a smooth simulation, the attack resumes every 30 seconds. Each attack is an independent new attack. MITM attacks every 30 seconds. In the case of a general system, if the MITM attack is successful, it can be seen that the attack is continuously performed and the data is exposed. However, OTIP algorithm changes its IP address every 5 seconds. We can notice that the attack fails if the IP is changed to the OTIP algorithm after the success of the MITM attack in the proposed algorithm. Even after restarting the attack, the IP address is changed again, and the attack fails.

Fig. 7. Simulation results of MITM attacks.


In the case of sniffing attacks, the proposed solution suggests changing the IP address every 5 seconds, thus, even in the scenario where the attacker successfully manage to retrieve the IP address and prepare for a sniffing attack, the IP would change automatically, resulting the attack to fail. This method enhances the privacy of sensitive data and bring perfect secrecy to the network. Moreover, in this paper, we propose hiding the secret keys using secret sharing techniques. This step intensifies the security and privacy of sensitive data as the key is securely distributed, which eliminate the risk of obtaining it by a malicious node. Comparatively to IPFS where the security measures are often based on transmission-encryption, our solution argue on the important of securing the data as well and not only the transmission channel, thus, in the scenario where an attacker succeed in downloading the transmitted information, they cannot decrypt nor view it. Moreover, the chances of acquiring the secret key are very limited due to the high security level of secret sharing techniques as depicted in [33]. From another perspective, sniffing attacks and MITM attacks are not the only cyber-attacks risks that can be prevented using the proposed method. Denial of Services (DoS) and Distributed denial of Service (DDoS) are one of the most performed attacks by cyber-criminals. These attacks can be detected and prevented as well using IP address monitoring as proposed in [34]. Since the proposed system rely on OTP-based IP protocol, the network system is capable of detecting any malicious behaviors.
In case of DoS or DDoS attacks, the attacker generally uses the same IP address continuously during multiple packet transmission, however, the system is programmed to change the IP address multiple times per minute. Analyzing the network traffic allow us to detect the IP addresses that did not change or get modified during the communication phase, which is considered as a DoS or DDoS attack. Early detection of DoS and DDoS attacks at early stage reduce drastically the damage that can be caused to a victim node. In this case scenario, the proposed framework allows us to prevent sniffing and MITM attacks by continuously failing them, and prevent the damage caused by DoS and DDoS attacks by detecting them at early stage. Fig. 8 depicts the results obtained after simulating the case of DoS attack using as parameters 7 IoT devices, 2 fog nodes, and 1 cloud. The outputs show that the attacks can be effectively prevented using the proposed OTIP algorithm [33, 3539]as shown inTable 3.

Fig. 8. Simulation results of DoS attacks.


Table 3. Comparison analysis
Study Technology Sniffing attack MITM attacks System complexity Main contribution Limitation
Nababan, & Rahim [33] Secret sharing and three pass protocol No No High Provide users conveniency as the distributed shares can be secured without doing the encryption phase Deploying Quantum based three pass protocol which can cause delay bandwidth to the network
Zheng et al. [35] IPFS and blockchain No Yes Relatively low Theoretically speedup synchronization between new nodes and the rest of network Performance not tested on real-world scenarios 
Kumar & Tripathi [36] IPFS and smart contract Yes No High Using IPFS as a security and authentication method as well as secure storage space  The cost of deploying smart contract for each IPFS is very high 
Chen et al. [37] IPFS, blockchain, and BitSwap No No Low Propose a solution for bandwidth occupancy  Security and privacy are not considered
Battah et al. [38] IPFS, smart contract, proxy re-encryption No No High Provide immutable and trustful access control  The implementation cost is relatively high
Nizamuddin et al. [39] IPFS, smart contract No No High Design a distributed framework foe version control and documents sharing  Multiple vulnerabilities from solidity code, Blockchain, and EVM were detected 
Our study IPFS, secret sharing, OTP-IP Yes Yes Low Provide efficiency, security, and scalability of data storage  Only tested against Sniffing attacks and MITM attacks in this paper


Conclusion

Smart city has become an important platform that improves close connection with users’ lives. To provide special services to individual users, IoT devices essentially acquire user privacy data. Recently, many attacks have been underway to obtain large amounts of personal data stored in the cloud, and in the process, smart city services could be unavailable if cloud storage becomes unable to provide normal services. The proposed secret sharing-based multi-cloud architecture uses a data distribution sharing algorithm deploying a secret sharing algorithm or IPFS, depending on the data type and size. For highly important data, a secret sharing algorithm is used, but to solve the problem of time processing in large-scale data, they are stored through IPFS, divided efficiently, and distributed stored in various cloud stores. At this time, only the session key required for loading may be encrypted with a secret sharing algorithm to secure stability for the key. As a result of the simulation, data with a large size can be stored more efficiently than in a classical system. In the case of personal information, storage efficiency is lower than that of existing systems. But even if an attacker succeeds in an attack, data cannot be obtained, and even if one cloud storage fails, the data can still be obtained, and the availability is guaranteed. This research predicts that the problems of smart cities can be solved if the data is stored more efficiently and stability against various security threats can be secured.


Author’s Contributions

Conceptualization, TWK, AEA. Data curation, TWK, AEA. Formal analysis, TWK, BK. Funding acquisition, JHP. Investigation, TWK. Methodology, TWK, AEA, BK. Project administration, JSK, JHP. Resources, TWK. Software, TWK. Supervision, JHP. Visualization, TWK. Writing – original draft, TWK. Writing – review & editing, TWK, AEA, JSK, JHP.


Funding

This study was supported by the Research Program funded by the SeoulTech (Seoul National University of Science and Technology).


Competing Interests

The authors declare that they have no competing interests.


Author Biography

Author
Name : Tae Woo Kim
Affiliation : Dept. of Computer Science and Engineering, Seoul National University of Science & Technology (SeoulTech), Seoul, Korea
Biography : Hereceived Master’s degree in Computer Science and Engineering from Seoul University of Science and Technology, Seoul, South Korea.and a B.S. degree in computer science from Kumoh National Institute of Technology, Gumi, South Korea. His current research interests include Cloud security, Software Defined Network, and Internet-of-Things (IoT) security.

Author
Name : Abir El Azzaoui
Affiliation : Dept. of Computer Science and Engineering, Seoul National University of Science & Technology (SeoulTech), Seoul, Korea
Biography : Shecurrently pursuing a Ph.D degree in Computer Science and Engineering with the Ubiquitous Computing Security (UCS) Laboratory, Seoul National University of Science and Technology, Seoul, South Korea, under the supervision of Prof. Jong Hyuk Park. She received a Master’s degree in Computer Science and Engineering from Seoul University of Science and Technology, Seoul, South Korea. Her current research interests include Quantum Information Science, Blockchain, Internet-of-Things (IoT) security, and cloud security. She is also a reviewer of the IEEE Access, and IEE TII journal.

Author
Name : ByoungsooKoh
Affiliation : Korea Creative Content Agency, Seoul, Korea
Biography : He received Ph.D. degrees in the Daejeon University, Korea. He is a project director at the Korea Creative Content Agency, Ministry of Culture, Sports and Tourism, Korea. He served as an adjunct professor at the Department of Computer Engineering at Korea University of Industrial Technology. His research interests include system software, network, and copyright.

Author
Name : Prof.Jaesoo Kim
Affiliation : Dept. of Computer Science and Engineering, Seoul National University of Science & Technology (SeoulTech), Seoul, Korea
Biography : He received Ph.D. degrees in the Otago University, New Zealand. He is a professor at the Department of Computer Science and Engineering, Seoul National University of Science and Technology (SeoulTech), Korea. He is a member of the Korean Society of Information Science, Korean Society of Industrial Application Mathematics, IEEE Computer Society, Association for Computing Machinery, and The Australian Computer Society. His research interests include computational intelligence, artificial intelligence, and knowledge engineering.

Author
Name : Prof. Jong Hyuk (James J.) Park
Affiliation : Dept. of Computer Science and Engineering, Seoul National University of Science & Technology (SeoulTech), Seoul, Korea
Biography : Hereceived Ph.D. degrees in the Graduate School of Information Security from Korea University, Korea. He is a professor at the Department of Computer Science and Engineering and Department of Interdisciplinary Bio IT Materials, Seoul National University of Science and Technology (SeoulTech), Korea. He is editor-in-chief of Human-centric Computing and Information Sciences (HCIS) by KIPS, The Journal of Information Processing Systems (JIPS) by KIPS, and Journal of Convergence (JoC) by KIPS CSWRG. His research interests include IoT, Human-centric Ubiquitous Computing, Information Security, Digital Forensics, Vehicular Cloud Computing, Multimedia Computing, and so on. In addition, he has been serving as a Guest Editor for international journals by some publishers: Springer, Elsevier, John Wiley, Oxford University Press, Emerald, Inderscience, and MDPI.


References

[1] S. Singh, Y. S. Jeong and J. H. Park, “A survey on cloud computing security: issues, threats, and solutions,” Journal of Network and Computer Applications, vol. 75, pp. 200-222, 2016.
[2] L. Zhao and S. Guo, “An energy efficient multi-hop cluster-head election strategy for wireless sensor networks,” Journal of Information Processing Systems, vol. 17, no. 1, pp. 63-74, 2021.
[3] J. H. Park, S. Rathore, S. K. Singh, M. M. Salim, A. E. Azzaoui, T. W. Kim, Y. Pan, and J. H. Park, “A comprehensive survey on core technologies and services for 5G security: taxonomies, issues, and solutions,” Human-centric Computing and Information Sciences, vol. 11, article no. 3, 2021. https://doi.org/10.22967/HCIS.2021.11.003
[4] Y. Liu, S. Xiao, H. Wang, and X. A. Wang, “New provable data transfer from provable data possession and deletion for secure cloud storage,” International Journal of Distributed Sensor Networks, vol. 15, no. 4, article no. 1550147719842493, 2019. https://doi.org/10.1177/1550147719842493
[5] M. M. Salim, V. Shanmuganathan, V. Loia, and J. H. Park, “Deep learning enabled secure IoT handover authentication for blockchain networks,” Human-centric Computing and Information Sciences, vol. 11, article no. 21, 2021. https://doi.org/10.22967/HCIS.2021.11.021
[6] H. Alshammari, S. A. El-Ghany, and A Shehab, “Big IoT healthcare data analytics framework based on fog and cloud computing,” Journal of Information Processing Systems, vol. 16, no. 6, pp. 1238-1249, 2020.
[7] Y. Dai, D. Xu, S. Maharjan, G. Qiao, and Y. Zhang, “Artificial intelligence empowered edge computing and caching for internet of vehicles,’ IEEE Wireless Communications, vol. 26, no. 3, pp. 12-18, 2019.
[8] S. K. Singh, Y. S. Jeong, and J. H. Park, “A deep learning-based IoT-oriented infrastructure for secure smart city,” Sustainable Cities and Society, vol. 60, article no. 102252, 2020. https://doi.org/10.1016/j.scs.2020.102252
[9] K. Bhushan and B. B. Gupta, “Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment,” Journal of Ambient Intelligence and Humanized Computing, vol. 10, no. 5, pp. 1985-1997, 2019.
[10] C. L. Chen, P. T. Huang, Y. Y. Deng, H. C. Chen, and Y. C. Wang, “A secure electronic medical record authorization system for smart device application in cloud computing environments,” Human-centric Computing and Information Sciences, vol. 10, article no. 21, 2020. https://doi.org/10.1186/s13673-020-00221-1
[11] A. E. Azzaoui and J. H. Park, “Post-quantum blockchain for a scalable smart city,” Journal of Internet Technology, vol. 21, no. 4, pp. 1171-1178, 2020.
[12] I. Cascudo and B. B. David, “ALBATROSS: publicly attestable batched randomness based on secret sharing,” In Advances in Cryptology – ASIACRYPT 2020. Cham, Switzerland: Springer, 2020, pp. 311-341.
[13] K. Meng, “A novel and secure secret sharing algorithm applied to insecure networks,” Wireless Personal Communications, vol. 115, no. 2, pp. 1635-1650, 2020.
[14] W. Zheng, K. Wang, and F. Y. Wang, “GAN-based key secret-sharing scheme in blockchain,” IEEE Transactions on Cybernetics, vol. 51, no. 1, pp. 393-404, 2020.
[15] D. Devi, G. S. Rohith, S. S. Hari, and K. S. Ramachandar, “Blockchain based mechanism to eliminate frauds and tampering of land records,” ITM Web of Conferences, vol. 37, article no. 01011, 2021.https://doi.org/10.1051/itmconf/20213701011
[16] A. Tiwari and U. Batra, “IPFS enabled blockchain for smart cities,” International Journal of Information Technology, vol. 13, no. 1, pp. 201-211, 2021.
[17] T. W. Kim, Y. Pan, and J. H. Park, “OTP-based software-defined cloud architecture for secure dynamic routing,” Computers, Materials & Continua, vol. 71, no. 1, pp. 1035-1049, 2022.
[18] H. Kim, J. Han, C. Park, and O. Yi, “Analysis of vulnerabilities that can occur when generating one-time password,” Applied Sciences, vol. 10, no. 8, article no. 2961, 2020. https://doi.org/10.3390/app10082961
[19] A. Gutub and A. Al-Qurashi, “Secure shares generation via M-blocks partitioning for counting-based secret sharing,” Journal of Engineering Research, vol. 8, no. 3, pp. 92-117, 2020.
[20] A. Gutub and T. AlKhodaidi, “Smart expansion of target key for more handlers to access multimedia counting-based secret sharing,” Multimedia Tools & Applications, vol. 79, no. 25, pp. 17373-17401, 2020.
[21] G. J. Ra, C. H. Roh, and I. Y. Lee, “A key recovery system based on password-protected secret sharing in a permissioned blockchain,” Computers, Materials & Continua, vol. 65, no. 1, pp. 153-170, 2020.
[22] J. Cha, S. K. Singh, T. W. Kim, and J. H. Park, “Blockchain-empowered cloud architecture based on secret sharing for smart city,” Journal of Information Security and Applications, vol. 57, article no. 102686, 2020. https://doi.org/10.1016/j.jisa.2020.102686
[23] B. Yuan, C. Lin, H. Zhao, D. Zou, L. T. Yang, H. Jin, and C. Rong, “Secure data transportation with software-defined networking and k-n secret sharing for high-confidence IoT services,” IEEE Internet of Things Journal, vol. 7, no. 9, pp. 7967-7981, 2020.
[24] S. Choi, S. Haruta, Y., An, and I. Sasase, “A server-based distributed storage using secret sharing with AES-256 for lightweight safety restoration,” IEICE TRANSACTIONS on Information and Systems, vol. 103, no. 7, pp. 1647-1659, 2020.
[25] A. Biswas, R. Sil, and A. Roy, “A study on application of interplanetary file system,” in Communication and Intelligent Systems. Singapore: Springer, 2020, pp. 1017-1025.
[26] V. Ortega and J. F. Monserrat, “Semantic distributed data for vehicular networks using the inter-planetary file system,” Sensors, vol. 20, no. 22, article no. 6404, 2020. https://doi.org/10.3390/s20226404
[27] C. Bieri, “An overview into the interplanetary file system (IPFS): use cases, advantages, and drawbacks,” in Communication SystemsXIV. Zurich, Switzerland: University of Zurich, 2021, pp. 78-99.
[28] R. Kumar and R. Tripathi, “Blockchain-based framework for data storage in peer-to-peer scheme using interplanetary file system,” in Handbook of Research on Blockchain Technology. London, UK: Academic Press, 2020, pp. 35-59.
[29] A. Al Mamun, F. Jahangir, M. Umor, S. Azam, M. S. Kaiser, and A. Karim, “A combined framework of interplanetary file system and blockchain to securely manage electronic medical records,” in Proceedings of International Conference on Trends in Computational and Cognitive Engineering. Singapore: Springer, 2021, pp. 501-511.
[30] Y. Tian, Z. Zhang, J. Xiong, L. Chen, J. Ma, and C. Peng, “Achieving graph clustering privacy preservation based on structure entropy in social IoT,” IEEE Internet of Things Journal, vol. 9, no. 4, pp. 2761-2777, 2022.
[31] J. Xiong, R. Bi, M. Zhao, J. Guo, and Q. Yang, “Edge-assisted privacy-preserving raw data sharing framework for connected autonomous vehicles,” IEEE Wireless Communications, vol. 27, no. 3, pp. 24-30, 2020.
[32] T. Deng, X. Li, J. Xiong, and Y. Wu, “POISIDD: privacy-preserving outsourced image sharing scheme with illegal distributor detection in cloud computing,” Multimedia Tools and Applications, vol. 81, pp. 3693-3714, 2022.
[33] D. Nababan, and R. Rahim, “Security analysis combination secret sharing protocol and three-pass protocol,” Journal of Physics: Conference Series, vol. 1175, article no. 012111, 2019. https://doi.org/10.1088/1742-6596/1175/1/012111
[34] T. Peng, C. Leckie, and K. Ramamohanarao, “Proactively detecting distributed denial of service attacks using source IP address monitoring,” in Networking 2004. Heidelberg, Germany: Springer, 2004, pp. 771-782.
[35] Q. Zheng, Y. Li, P. Chen, and X. Dong, “An innovative IPFS-based storage model for blockchain,” in Proceedings of 2018 IEEE/WIC/ACM International Conference on Web Intelligence (WI), Santiago, Chile, 2018, pp. 704-708.
[36] R. Kumar and R. Tripathi, “Towards design and implementation of security and privacy framework for Internet of Medical Things (IoMT) by leveraging blockchain and IPFS technology,” The Journal of Supercomputing, vol. 77, no. 8, pp. 7916-7955, 2021.
[37] Y. Chen, H. Li, K. Li, and J. Zhang, “An improved P2P file system scheme based on IPFS and Blockchain,” in Proceedings of 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, 2017, pp. 2652-2657.
[38] A. A. Battah, M. M. Madine, H. Alzaabi, I. Yaqoob, K. Salah, and R. Jayaraman, “Blockchain-based multi-party authorization for accessing IPFS encrypted data,” IEEE Access, vol. 8, pp. 196813-196825, 2020.
[39] N. Nizamuddin, K. Salah, M. A. Azad, J. Arshad, and M. H. Rehman, “Decentralized document version control using Ethereum blockchain and IPFS,” Computers & Electrical Engineering, vol. 76, pp. 183-197, 2019.

About this article
Cite this article

Tae Woo Kim1, Abir EL Azzaoui1, Byoungsoo Koh2, Jaesoo Kim1, and Jong Hyuk Park1,*, A Secret Sharing-Based Distributed Cloud System for Privacy Protection, Article number: 12:20 (2022) Cite this article 1 Accesses

Download citation
  • Recived26 February 2022
  • Accepted16 March 2022
  • Published30 April 2022
Share this article

Anyone you share the following link with will be able to read this content:

Provided by the Springer Nature SharedIt content-sharing initiative

Keywords