You are on page 1of 8

Ravikiran Peelukhana et al.

/ International Journal of Engineering Science and Technology (IJEST)

SECURING VIRTUAL IMAGES USING BLIND AUTHENTICATION PROTOCOL
RAVIKIRAN PEELUKHANA*
Department of computer science, Pondicherry University, Puducherry, 605014, India

SHANTHI BALA P Department of computer science, Pondicherry University, Puducherry, 605014, India

AGHILA G
Department of computer science, Pondicherry University, Puducherry, 605014, India

Abstract: The cloud virtualization technology improves the economy of scale for data centers through server consolidation, application consolidation and resources consolidation. Virtualization allows the provider to move Virtual Images from more congested host to less-congested hosts, as required. Enterprises also get improved server reliability, which in turn increases application performance. Despite these benefits, it includes major security challenges with the portability of Virtual Images between different cloud providers.The security and integrity of Virtual images is the foundation for the overall security of the cloud. Many of the Virtual images are intended to be shared by diverse and unrelated users. Unfortunately, existing approaches to cloud security built by cloud practitioners fall short when dealing with Virtual images. Secure transmission of virtual Images can be possible by providing authentication using Blind Authentication protocol (BAP). The proposed approach authenticates the allocation of virtual images using Blind authentication protocol. It provides provable protection against replay and client side attacks even if the keys of the user are compromised. The encryption also provides template protection, revocability and alleviates the concerns on privacy in widespread use of biometrics. Carrying out the authentication in the encrypted domain is a secure process, while the encryption key acts as an additional layer of security. Keywords: Cloud computing, virtual images, security, Biometric authentication.

1. Introduction Virtualization is one of the hottest topics in IT today. Cloud Computing’s multitenancy, massive scalability, elasticity; self provisioning of resources has changed the way IT does business today. Driven by the need to strengthen servers to achieve higher hardware utilization rates, boost operational efficiency, and cut costs, enterprises more recently have implemented virtualization to get on-demand access to additional computational resources. This enables them to add processing power and storage capacity on the fly as needed to respond to changing business conditions. In organizations where applications are deployed within its perimeter, the trust boundary is mostly static and is monitored and controlled by IT department. With the adoption of cloud services, the organization’s trust boundary will become dynamic and move beyond the control of IT. With cloud computing, the network system and application boundary of an organization will extend into service provider’s domain. This loss of control continues to challenge the established trusted governance and control model. Virtual machine (VM) images need high integrity as they determine the initial states of running machines with their security states. The security and integrity of VM images are the foundation for the overall security of the cloud. Current approaches to cloud security built by cloud practitioners fall short when dealing with VM images. Image publisher is mostly fretful about confidentiality, whereas service consumer is neurotic about safety. The cloud administrator is concerned with the integrity of individual images along with the security and compliance of the cloud system. To deal with eternally increasing threats, available authentication mechanisms are not strong and secure enough. Hence, we introduce the concept of securing virtual images in cloud environment using Blind authentication protocol. Administrators often fail to manage images properly,

ISSN : 0975-5462

Vol. 3 No. 4 April 2011

2857

to target a wide range of victims. as the lack of security or integrity is not known until its first run. Related Work 2. scan and patch the instance. 1 SOAP message sent by a legitimate client Examples of injection vulnerabilities are: SQL injection: The input contains SQL code that is erroneously executed in the database backend. Session riding/hijacking vulnerabilities are intrinsic to web application technologies and are certainly relevant for cloud computing.Ravikiran Peelukhana et al. For typical size. There are many techniques to implement session handling. Command injection: The input contains OS commands that are erroneously executed via the operating system. Second. This identified injection vulnerabilities as a major threat. Injection vulnerabilities are exploited by manipulating input to a service/application such that parts of the input are interpreted and executed as code against the intentions of the programmer. 4 April 2011 2858 . and will only run on a victim's machine if the victim's software stack satisfies its dependencies. Conventionally. the hacker must develop and test variances of his Trojan horse on different software stacks and make sure that the right version is delivered to the right victim. / International Journal of Engineering Science and Technology (IJEST) primarily because of two reasons. This paper is organized as follows: Section 2 provides a survey of virtual image security concerns. is on the order of hours. Soap: Envelope Soap: Header Soap: Body Id= “body” getFile Name= “kiran. a Trojan horse program can only be developed and tested on the hacker's machine. Using a virtual image as a transporter for the Trojan horse makes the hacker's job easier. Virtual image sharing provides an easier way of developing and propagating Trojan horses. Cross-site scripting: The input contains JavaScript code that is erroneously executed by a victim's browser. First. and then captures it back to a new image. Hence. cloud repository it would easily take months to perform just one round of maintenance. 2. as the time it takes to start a running instance of an image.1. Vulnerabilities rampant in the state of the art cloud offerings Bernd Grobauer et al in [3] described session riding and session hijacking. ISSN : 0975-5462 Vol. Proposed architecture and its algorithm for securing the virtual images and process flow diagram are described in Section 3. Section 4 gives the implementation details and section 5 concludes the work.jpg” wsse: Security ds:signature ds:SignedInfo ds:Reference URI: “#body” Fig. This makes the maintenance operations time consuming. 3 No.

a VM compromised by a keystroke monitor could allow the monitoring of server hardware resources on all other VMs hosted on the same machine. Further machine memory can be accessed from the hypervisor. This inadequately regulated access to the hypervisor presents the potential for significant damage to the enterprise through the compromise of valuable information and disruption of critical services. compromising transit information like passwords and encryption keys.doc” URI: “#body” Fig. 3 No. Current virtualization security and management tools are very simple. Soap:Envelope Soap:Header Soap:body wrapper getFile Soap:Body Wsse:Security ds:Signature Id= “body” ds:SignedInfo ds:Reference sellstocks Name= config. Unsecured Virtual machines (VM) can serve as back doors to the virtual data center or an entry point to inject viruses to the protected LAN. but in reality are still valid. very immature. an intruder can compromise user passwords and other confidential data. on some virtualization technologies. by tracking keystrokes for all VM images. This body contains the operation the attacker wants to perform with the original sender’s authorization. / International Journal of Engineering Science and Technology (IJEST) Meiko Jensen et al [4] provided XML Signature Element Wrapping or wrapping attack where SOAP message sent by a genuine client. 1 represents a SOAP message sent by a genuine client. In a virtual environment. The attacker moves the original body to a newly inserted wrapping element inside the SOAP header.jpg” and was signed by the sender. ISSN : 0975-5462 Vol. most of the tools that security staffs are familiar with do not work in the VM environment. 2 depicts the attack where the original body is moved to a newly inserted wrapping element inside the SOAP header. and security staffs are often not familiar with them. and a new body is created. Indeed. without user knowledge all other VMs that are part of the virtual network can be compromised. Replicating a server image is equivalent to stealing a server. For example. Fig. So any access to the virtualization host—even remote access—is critical. exposing other critical data. Shared internal network traffic could also be sniffed from the hosting operating system. They can also have access to sensitive data and have an impact on business continuity. If one VM is compromised. and a new body is created.doc” is asked for.g. The SOAP body contains a request for the file “kiran. The administrator not only has control over the physical host. and additionally are provided with administrator level access rights. an adversary may modify a service’s WSDL so that a call to a deleteUser operation syntactically looks like a call to another operation. 4 April 2011 2859 . The resulting message still contains a valid signature of a legitimate user. e. If an attacker listens such a message. multiple privileged users in various roles have the ability to interact with numerous components of a virtualization deployment. In such a case. An adversary could manage to create a bunch of user logins that are thought to be deleted by the application’s semantics.jpg” is modified and “config. For example. setAdminRights. thus the service executes the modified request [4]. Fig. Virtualization makes the problem worse. Without an independent access control solution. he can perform the following attack. 2 Body is moved to a newly inserted wrapping element As Meiko Jensen et al [4] put metadata spoofing attack aims at spitefully reengineering a Web Service’s metadata descriptions. servers are files that can be copied from the host.Ravikiran Peelukhana et al. Here the request for the file “kiran. but over all of the virtual sessions running on it.

We now present the authentication framework that achieves this goal using any biometric. Proposed work The proposed work deals securing virtual Images at server side in cloud environment using blind biometric authentication protocol. Powerful control of privileged users Like root users from the UNIX/Linux world. and prove that the information exchanged between the client and the server does not reveal anything other than the identity of the client.cloud computing infrastructures require the management and storage of many different kinds of keys. discarding or upgrading an input’s integrity immediately). malicious acts such as removing virtual machines and destroying data [9]. where Alice wanted to create an account with Bob mail that required biometric authentication. such as hardware security module (HSM). 4 April 2011 2860 . which is compared with a threshold for authentication. The authentication protocol can run over public networks and provide non-repudiable identity ISSN : 0975-5462 Vol. privileged users with hypervisor access need to be tightly controlled. To perform authentication. Round 2: 1. these passwords can be shared or easily exposed to unauthorized people. the client locks the biometric test sample using her public key and sends the locked ID to the server. The client unlocks the randomized results and computes the sum of the products. The server computes the products of the locked ID with the locked classifier parameters and randomizes the results. Weak credential reset mechanisms Bernd Grobauer et al states that in situations where the cloud provider manages user credentials himself rather than using federated authentication. which make it impossible to hold them accountable for privileged activity. leading to the generation of weak random numbers [3]. The resulting randomized sum is sent to the server. 3 No.Ravikiran Peelukhana et al. 3. he must provide a mechanism for resetting credentials in the case of forgotten/lost credentials. Such a protocol can satisfy the conditions presented in our initial scenario. The protocol is blind in the sense that does not reveal any information about the biometric samples to the authenticating server [1]. because the layer of abstraction between hardware and OS kernel introduced by virtualization may be problematic for the generation of random numbers within a virtual machine environment: generation of random numbers requires a source of entropy which must somehow be provided from the hardware level. 3. These randomized products are sent back to the client. The server de-randomizes the sum to obtain the final result. 2. Especially password-recovery mechanisms have shown to be weak [3]. Maneesh Upmanyu et al [1] define Blind Authentication as a biometric authentication protocol that does not reveal any information about the biometric samples to the authenticating server. Blind authentication happens over two rounds of communication between the client and the server. / International Journal of Engineering Science and Technology (IJEST) Poor key-management procedures Bernd Grobauer et al in states that virtual machines do not have a fixed hardware infrastructure and cloud based content tends to be geographically distributed. This activity leads to mistakes such as moving and starting a virtual machine on a production server where it should not have been. which she did not trust. 2. As the protocol is based on asymmetric encryption of the biometric data. Weak random number generation Cryptographic vulnerabilities due to weak random number generation may exist. 3. it is more difficult to apply standard controls. Virtualization may have flawed mechanisms for tapping that source of entropy or the presence of several virtual machine environments on the same host may exhaust the available entropy. A hypervisor admin has the potential to be able to do anything to a virtual environment. Round1: 1. or worse. While these hypervisor accounts have passwords. Unexpected input handling capability A cloud vendor should be able to systematically identify how many interfaces each service has that might receive untrusted input and how those interfaces specifically handle such input securely (for example. it captures the advantages of biometric authentication as well as the security of public key cryptography. Poor key-management procedures leads to insecure authentication while allocating virtual machines [3]. These accounts may also be shared among many different operators.

the network is insecure. Bob does not trust the client as she could be an impostor. Existing Authentication Method Fig. It provides provable protection against replay and client side attacks even if the keys of the user are compromised. She could also repudiate her access to the service at a later time. If any unallocated virtual image is available then it checks if Service Level Agreement (SLA) is met. Alice wants to create an account in Bob mail that requires biometrics based authentication. providing revocability. 3 No. while the encryption key acts as an additional layer of security. Virtual machine image repository provides image store and retrieval functions. On the other hand. Bob could either be incompetent to secure her biometric or even curious to try and gain access to her biometric data.Ravikiran Peelukhana et al. the server checks the validity of the credentials and after successful validation. it checks for the availability of the virtual image in the repository. Moderator will send the credentials ISSN : 0975-5462 Vol. If conditions are satisfied then image is sent to user as shown in Fig. 3 3.3 Architecture of existing authentication procedure The existing authentication procedure consists of user requesting a virtual image by sending his credentials to the server. Carrying out the authentication in the encrypted domain does not affect the accuracy. As the enrolled templates are encrypted using a key. the primary problem here is that. for Alice. neither she can trust the network to send her plain biometric. she can’t not trust Bob to handle her biometric data securely. 3. While the authentication process is going on. / International Journal of Engineering Science and Technology (IJEST) verification.2. Proposed architecture Fig 4: Proposed architecture for Authentication In our proposed architecture. revocability of enrolled templates. 4 April 2011 2861 . and alleviates the concerns on privacy in widespread use of biometrics. For both parties.1. So Alice does not want to give her biometric data in plain to Bob. The encryption also provides template protection. user requests for a virtual image by sending his credential using Blind authentication procedure by binding the biometric sample with public key. one can replace any compromised template. Suppose. However.

he might be able to bypass the confidence test without knowing anything about the biometric or the private key. Blind authentication rules out these concerns by providing strong authentication procedure. credentials are used for all the subservices of a service provider thereby emphasizing the need for strong authentication mechanism. where the biometric sample of the user is encrypted before binding with public key. Unexpected input handling capability can be thwarted: Even if the impostor replaces the partial sums with random numbers. From his view. Weak credential reset mechanisms can be can be resolved by using Blind Authentication Protocol with the property of revocability of issued templates. ISSN : 0975-5462 Vol. credentials are sent in encrypted form along with public key he could not decipher anything. one can replace any compromised template. while allaying concerns of being tracked.Ravikiran Peelukhana et al. The server could multiply all the sums with a random scale factor and check if the returned sum is a multiple of or not. Poor key-management Weak random number generation Weak credential reset mechanisms Powerful control of privileged users Unexpected input handling capability Poor key-management can be handled by binding the public key and biometric sample of the user. 3. 3. as for each session a random number is generated which can’t be guessed. The cloud server will check for the availability of a virtual image from the image repository. Client sends biometric sample and public key along with request for virtual image Moderator sends the biometric detail of user for authentication to the authentication server If new user Send biometric samples to the enrollment server If authentic then Moderator checks the availability of the virtual image If virtual image is available then If SLA is met Allocate the virtual image Else Virtual Image is not allocated Else Virtual Image is unavailable Else User is prompted for fresh registration ie goto step3 This architecture resolves the following server side concerns. 3 No. Biometric Authentication Protocol (BAP) eliminates the setback of weak random number generation as the server has access to a strong random number generator source there by evading man in the middle attack. even if Eavesdropper snoops the channel. 4. With the augmented use of Federated identity and Single sign users. The biometric sample is never stored as plain thereby reducing the amount of information leakage. 2. / International Journal of Engineering Science and Technology (IJEST) for enrollment server. 4. it will send the details to authenticating server for authentication after two rounds of process of Blind Authentication. the user as accepted as an authentic user and the request is redirected to cloud server. 5. The authenticating server will send its decision whether to accept or to reject based on a threshold value. Privileged users can be given powerful control over the resources they are authenticated and can be monitored for any inadvertent usage as their authentication mechanism is bound with their biometric trait. Using this architecture. The enrolled templates are encrypted using a key. It verifies its registration. it will allocate the virtual image based on the user requirements without degrading the performance of the cloud. Algorithm for proposed architecture:1. If accepted. 4 April 2011 2862 . the impostor cannot learn random scale factor as GCD is not defined for congruencies. A simple modification of the protocol at the server side could thwart this attack. If any Virtual image is free and SLA is met. 1. 2. User is a registered person.

if the user is authentic then the request is sent to VM manager to check for availability of VM.  Single sign on: It is an authentication process that lets a user to enter a username and password only once when they log on to a server.Ravikiran Peelukhana et al. ISSN : 0975-5462 Vol. / International Journal of Engineering Science and Technology (IJEST)  Federated identity: Federation is the process of managing trust relationships established beyond the internal network boundaries or administrative domain boundaries among distinct organizations.3. Process flow diagram client Biometric test sample+public key Moderator VM manager Authenticating server Enrollment server Request VM Check if valid If new user. 4 April 2011 2863 . authentic Enrolled. 3. If a user has rights to use many different applications on a server. 3 No. Service Provisioning Markup Language (SPML) is a promising standard that helps organizations automate provisioning of user identities for cloud services. Service providers in cloud can use SPML to automatically provision user accounts and profiles with the utilization of service and enabling “just-in-time provisioning” to create accounts for new users by collecting biometric sample. yet have access to many applications. authentic Check for vm Check if SLA is met SLA Allocate VM SLA is met SLA not met with VM can’t be allocated as SLA is not met with Fig 5: Process flow diagram Fig 5 shows the flow of process in securing the virtual images where the client sends the client requests the virtual image by sending biometric sample and public key to moderator. The sends it to the authenticating server to check if user is valid if he is a new user then biometric samples are sent for enrollment to the enrollment server. send biometric samples for enrollment Enrolled. they need to log-in once and they are never prompted again for any username and password while they are switching between different programs or applications on that same server. If VM is available then it checks if SLA is met allocate VM otherwise send a message regretting the allocation as SLA is not met with.

Llorente. ISSN : 0975-5462 Vol.Biometric Verification Protocol” IEEE transactions on information forensics and security. Paul Kurtz. 2. Walloschek and E. K. Nandakumar. AlanBoehme.Sahoo “A Secure Cloud Computing” 2010 International Conference on Recent trends in Information. Maneesh Upmanyu. cloud security alliance March 2010.cloud security and privacy O’REILLY. 17 pages. Kannan Srinathan. the unauthorized user depending upon the access level can even launch attacks on the cloud.Mukherjee and G.0”. Ubuntu 10. One of the systems will act as Node controller and other serves as Cluster controller. [2]. If successfully snooped upon. Normal authentication procedures lacks secure authentication where an eaves dropper can snoop upon the credentials and authenticated user will be charged for the usage of the hacker. 3 No. Using the proposed architecture reduces the risk of unauthorized usage and eliminates the risks of man in the middle attacks. We observed the authentication of virtual image in Ubuntu cloud and found flaws in the existing process and applied the blind authentication process over the authentication procedure in the Ubuntu cloud. no. [6]. and C.“Outlook: Cloudy with a Chance of Security Challenges and Improvements” IEEE SECURITY & PRIVACY. [12]. K. Dave cullinane . O’REILLY March 2010. Grobauer.Telecommunication and Computing. [10]. [4]. K. Implementation We have installed Ubuntu 10. PatrickMcDaniel and SeanW. Article ID 579416.04 server on two machines with Intel i3 processors. storage controller and cloud controller. Anoop M. Luigi Lo Iacono “On Technical Security Issues in Cloud Computing” 2009 IEEE International Conference on Cloud Computing pp 2. and A.04 desktop version to serve as client to request VM. [11]. 5. [3].Stöcker “understanding cloud computing vulnerabilities” Special Issue on Cloud Computing IEEE Security&Privacy. White paper on Cloud Computing by KenOwens “Securing Virtual Compute Infrastructure in the Cloud”. Subra Kumarswamy and Shahed Latif. Nils pulhmann and Jim Reavis “Top threats to cloud computing v1. V. Tim mather. Tim Mather. Conclusion As cloud computing offers great elasticity and flexibility misuse of resources poses a great threat in future. subra kuppuswamy and shahed latif. June 2010. JANUARY/FEBRUARY 2010. References [1]. Nagar. One more machine with Intel i3 processor is installed with Ubuntu 10. Jawahar “ Blind Authentication: A Secure Crypto. [9].IanFoster“VirtualInfrastructure Management in Private and Hybrid Clouds” 1089-7801/09 IEEE Computer Society IEEE Internet Computing. Namboodiri. [7].04 comes with preinstalled Eucalyptus components. 5. Meiko Jensen. Borja Sotomayor. 4 April 2011 2864 .Smith.Ravikiran Peelukhana et al.march 2010 pp 73-107.” EURASIP Journal on Advances in Signal Processing. Volume 2008. [5]. “cloud security and privacy” An Enterprise Perspective on Risks and Compliance. vol. Jorg Schwenk and Nils Gruschka. Jerryarcher. [8]. White paper on cloud NimrodVax“Securing Virtualized Environments and Accelerating Cloud Computing” May 2010. “Biometric template security. Rubén S.1540-7993. Montero and Ignacio M. Jain. / International Journal of Engineering Science and Technology (IJEST) 4.