Zonificación espacial

To maintain correctness, an IC must be cryptographically strong against forgery. With this in mind, we chose to use three different cryptographic algorithms to generate the integrity code: RSA, CMAC AES, and HMAC SHA [24], [7], [4], [34] [35]. In the literature, both CMAC (Cipher-based Message Authentication Code) and HMAC (Hash-based Message Authentication Code) algorithms have been designed with the objective that anyone without the secret key is unable to produce a valid (matching) MAC. A matching MAC to a data item means that anyone with the knowledge of the secret key can verify the validity of the MAC which in turn proves the integrity of the data item. In this project, we chose to use CMAC AES and HMAC SHA provided by the BouncyCastle Java library [22] to generate integrity codes in our experiments. Compared to RSA, these MAC algorithms have the advantages of smaller-size integrity codes and more efficient code generation. Despite RSA’s large memory and performance footprint, we have included RSA in our experiments because its homomorphic property [23] is useful in aggregate verification and also as a comparison to other notable publications involving the use of RSA [24], [7] and [4].

RSA

RSA has been used widely in many public-key cryptosystems. The public key is used for the encryption (or signature verification) while the private key is used to decrypt the encrypted data (or generate a signature). If y is an RSA private key and (N, x) is the public key, for a message m (or a collection of information related to a data itemd as described in Equations 4.2 or 4.3), the signatureSig(m) can be used as the integrity code to protect the data itemd:

Sig(m) =my mod N (4.4)

The signature Sig(m) can be verified by checking:

m =? Sig(m)x mod N (4.5)

The homomorphic property allows the operations to be made on the ciphers without the need of decryption [30]. RSA has the multiplicative homomorphic property which allows multiplication operations to be made on the integrity code (signature). The result of these operations is equal to the integrity code of the product of the messages (or data) as shown in the the equations below:

Sig(m1) =my1 modN (4.6)

Sig(m2) =my2 modN (4.7)

Sig(m1)∗Sig(m2) = (m1∗m2)y modN =Sig(m1∗m2) (4.8)

This RSA homomorphic property [23] allows the ICDB cloud application in our ICDB model to generate a single Aggregate Integrity Code (AIC) from many indi- vidual ICs (which will be described in section 4.4), which can reduce the integrity verification process’s computational complexity in the ICDB client. Furthermore, checking the integrity of a queried dataset as a whole in the AV mode, the ICDB client only requires one AIC, rather than requiring all individual ICs for all data items in the dataset, thus greatly reducing the network load.

There are other public key algorithms such as Elgamal and Paillier [8] [9], which also have the homomorphic property. We chose RSA partially because the research

work in [33] have found that RSA takes less time for encryption and decryption compared to Elgamal and Paillier, though RSA’s key generation may take a longer time. We use RSA in this research only for integrity code generation/verification and not for the purpose of protecting confidentiality. The time to generate keys is not an issue since the data owner (ICDB client) will not share his/her RSA keys (both public and private keys) with anyone: neither the cloud server nor the ICDB cloud application. Thus, the keys can be generated offline. The data owner uses the private key to generate integrity codes (signatures) and uses the public key to verify the integrity codes along with data returned from clouds. The only value shared with the cloud server and the ICDB cloud application is the RSA modulus N, which will be used in modular multiplication of multiple ICs to generate one Aggregate Integrity Code (AIC). Because the public key is not shared with anyone, the known attacks on unpadded RSA are not possible. The use of unique serial number means that all data items (even with the same value) have a unique integrity code.

Cipher-based Message Authentication Code (CMAC)

One type of MAC suited for generating integrity code is a CMAC, using AES-128 [6] as its backing cipher. CMAC is a technique for constructing a Message Authentication Code from a block cipher much like CBC-MAC [34]. It provides assurance of both the authentication and integrity. CMAC is a variation of CBC-MAC and fixes the security vulnerabilities such as the variable-length attack in CBC-MAC. An attacker who knows the correct message-tag in CBC-MAC pairs for two messages (m, t) and (m0, t0) can generate a third message m00 whose CBC-MAC will also be t0. These security issues are fixed in CMAC and hence we chose it as one of our integrity code generating algorithms.

Keyed-Hash Message Authentication Code (HMAC)

The second MAC algorithm we chose to use is HMAC, using SHA-128 as its digest. HMAC is a message authentication code that uses a cryptographic hash and a secret key. So HMAC can simultaneously verify both integrity and authentication. Hash functions are used in various prior works [25] for integrity protection. Hash algorithms such as SHA-1 and MD5 have been attacked in various ways [36]. One way is with length extension attacks where the attacker uses Hash(m1) and length ofm1 to gen-

erate Hash(m1||m2). Since HMAC doesn’t use the construction Hash(key||message),

HMAC is not subject to length extension attacks [35]. The cryptographic strength of HMAC depends on the properties of underlying hash function. The construction of HMAC is described as:

HM AC(k, m) =H((k0⊕opad) +H((k0⊕ipad) +m)) (4.9)

Where, H is a cryptographic hash function, k is the secret key, m is the message, k0

is a secret key derived from the original key k , + denotes concatenation, ⊕ denotes exclusive or (XOR), opadis the outer padding and ipad is the inner padding