Abstract-Today of devices, the cloud is nothing less

Abstract-Today cloud
computing is seen as the feature of IT industry. Use of IAAS, PAAS and SAAS is
transforming capital expenses (CapEx) into operational expenses (OpEx) without
sacrificing performance of communication and without compromising security and
even streamlines workload with maximum profits.

As organization look to
build up modern IT architecture that scales rapidly and globally while
supporting numerous digital channels and a variety of devices, the cloud is
nothing less than critical. This paper on one hand exaggerate cloud feature
like SSO with its underlying implementation details using SAML, improves communication
security at TLS level and uses  improved
DH as “DH with an ASCII digit ” to secure (handshake) public and private key
shared on the network, on the other hand. These two additional security factors
makes cloud users more immune & secure and cloud security invincible for
eavesdroppers/attackers .

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

IAM-Identity
and access management is a set of rules and technologies used for security
purposes which controls access to the critical data within an enterprise. When
a number of applications are being accessed using cloud computing framework, it
becomes crucial to verify authentication properly and accurately. It provides a
framework which can authenticate individuals for having the suitable permission
and check the rights to access the information/services/applications.

SSO-Single
Sign On enables user to login once and use or access all the related web
applications/services with a single click. With a view to its vast application
domain and easy to implement protocols, SSO becomes crucial and an integrated
part of any cloud service provider. There is no need to login again and again
to use other related applications or services from same service provider. This
eliminates password fatigue and risks of security. Users can use application
software (IAM’s) like OneLogin for SSO (Single Sign-On) to secure and safe
their enterprise customers accounts more efficiently, instead of using huge
number of IT administrators and improves regulatory compliance.

OneLogin
is an identity management solution that can guarantee the security and sort the
trust issues for the leading worldwide organization by making authentication
centralized, get rid of repeated logins/passwords and makes web applications
access convenient and easier for an organization and individuals.

Bringing in ONELOGIN
for any enterprise to get any single sign-on within a few minutes via security assertion
Mark-up language (SAML). It saves huge amount of time and money as well.

Main advantage of
OneLogin secure single sign on integration saves lot of time and money of an
organization as well as extends the security of data in the cloud .It is an
easy approach that fascinates both client and server. Now days many well known
organization like Amazon, Myntra uses OneLogin sign on security system.

Request Target Resource/ Application

 
 
Application Provider / Service Provider

SAML- Security Assertion
Markup Language is an important XML based framework protocol which manages and
authorization in a network allowing single sign on ability to provide web
services by exchange of digitally sign XML documents. Now a day’s SAML becomes
so popular because it is secure and standardized. Working of SAML is described
in the following diagram-

 
User    Agent                                   (Browser)

Verifies SAML assertion & logs the user in (Response
with requested resource)

 

 

                                                                                                             

 

 

 

                                                                                                                                              

 

 

                                                                                                                                 

                                                                                                                                 

              Trusted Identity Provider
(IDP)

 

 

Fig.1.1 SAML
authentication cycle

 

Firstly, user
authentication is done by identity provider using a single-sign-on .This is
authentication request to determine whether or not a person has been
authenticated. SAML token is provided or issued by identity provider with
user’s identity. It sends SAML assertion to the server that actually provides
services for security issues assertion may be encrypted. Identity provider
redirects to users browsers of service provider. Work of service provider is to
check and validate the SAML token. After successful verification and
validation, service provider gives access to the applications.

SAML increases the
security by eliminating extra and additionally credentials .It also eliminates phishing
attack by eliminating the number of times password entry. It also increases
number of access by eliminates barriers to usage by giving passwords. It
reduces admin time and cost by eliminate or handling duplicates credentials.

SAML completely
eliminates all passwords and deploy applications much faster. SAML use security
assertion and encrypted message with a establish trust relationships.

TLS-communication
security between user and server over the internet is the main role of
transport layer security. Main function of TLS is integrating privacy and
protection.TLS and SSL gives a way to encrypt a communication channel between
two computers.

It is necessary for the
client to indicate to the server the setup of a TLS connection, as applications
can communicate either with or without TLS (or SSL).

a)      One
way to achieve this is to use a different port number for TLS( other than
HTTPS-443 port)

b)      Another
way is that the client can make a protocol specific request to the server to
switch the connection to TLS. Example – by making a “STARTTLS” request when
using the mail and USENET protocols(IMAP,POP3,SMTP,NNTP),  “AUTH TLS” request for FTP and “OID” request
for LDAP we can convert protocol specific request into private connection.

Proposed
Model – This model is capable of converting all consumer
connection requests into TLS connection. It makes a mandate for the cloud
servers to run the commands STARTLS, AUTH TLS and OID which would be embedded
in a small script in some scripting language like PERL or Shell scripting that
supports Linux Kernel (OS) running on the server.                                                

 

Shell Script

Perl Script

$ cat myscript.sh
#!/bin/sh                                             
STARTTLS                                        
AUTH TLS                                        
OID
.
.                                                          
ctrl+d

$
cat myscript.sh
#!/usr/bin/perl
STARTTLS
AUTH
TLS
OID
.
.
ctrl+d

                                                                                   
Table 1.1

Any
number of commands can be invoked through such a script written in shell or
perl scripting language, marked by dots in the table. Script can be run from
bin/bash shell after making it executable as follows:

 

$
chmod ugo+x myscript.sh

$
./myscript.sh

 

 Running this script will redirect the
connection from normal port to SSL port and the further communication will be
secured essentially. The port configuration is shown for each protocol with
corresponding secure ports used in SSL in below figure

Protocol

Purpose

Normal Port

SSL variant

SSL port

SMTP

Send
mail

25/587

SMTPS

465

POP3

Retrieve
mail

110

POP3S

995

IMAP

Read
mail

143

IMAPS

993

NNTP

News
reader

119/433

NNTPS

563

LDAP

Directory
access

389

LDAPS

636

FTP

File
transfer

21

FTPS

990

 

LDAP-
Active directory is a directory service, implemented by Microsoft and supports
LDAP. Light weight directory access protocol is a software protocol and a part
of x.500.LDAP provides a secure way to store user name and password centrally
so that user can be authenticated and allow to access different applications
and services over the network. LDAPv3 is the latest specification of LDAP.

Diffie
Hellman with Additional ASCII Digit- Diffie Hellman Key
Exchange/Agreement is a protocol which assures the exchange of private key
securely over the network. First of all DH must not be confused with
encryption/decryption algorithms, as it is a pure key exchange algorithm. DH
gets its security from the difficulty of calculating discrete logarithms in a
finite field rather than calculating exponential in the same field, which is
comparatively easy. Diffie Hellman is more secure because the secret key
doesn’t transmit across the network, but some random prime numbers are
transmitted.

In our proposed model “Diffie Hellman With Additional ASCII Digit”
an ASCII code ranging from small alphabet a to z will be shared on the public
network along with an integer such that the summation of shared integer with
ASCII code( ASCII value of letter ranging a-z ) is a prime number. This
combination is shared on the network and is seldom prone to be understood by
eavesdroppers who are tracing the communication networks.

Alphabet

a

b

c

d

e

f

g

h

i

j

k

l

m

ASCII Value

097

098

099

100

101

102

103

104

105

106

107

108

109

 

n

o

p

q

r

s

t

u

v

w

x

y

z

110

111

112

113

114

115

116

117

118

119

120

121

122

Table 1.1

We assume a prime
number g and then assuming an ASCII digit say’d’. In this example large prime
number to be transmitted is 107, but rather sending 107 over the network we
send the addition operation as ‘7+d’ over the network, that gives illusion of
sending 7 over the network to the eavesdropper as 7 is a prime but original
prime is evaluated at receiver end as 107 because ASCII value of’d’ is 100.
Then according to Diffie Hellman key sharing algorithm

Large prime number:    q=7+d=107

Primitive root of
107:   p=2

ALICE                                                                                                                        BOB

Random prime selected:
a=3                                                  Random
prime selected: b=5

A = pa mod q
= 23 mod 107                                                    B
= pb mod q = 25 mod 107

A = 8 mod 107                                                                        B
= 32 mod 107

A = 8                                                                                       B
= 32

Public Key of ALICE is
8 bit                                                 Public
key of BOB is 32 bit

                                                            A

       ALICE    
                                                                                 BOB

           

                                                                    B

       ALICE 
                                                                                      BOB

 

Alice sends her
public key generator to Bob and Bob sends her public key generator to Alice.

 

 Secret Key of
Alice                                                               Bob’s
Secret Key

S = Ba mod q                                                                           S
= Ab mod q

   = 323 mod
107                                                                         = 85
mod 107

   = 32768 mod
107                                                                    =32768 mod 107

   = 26                                                                                         = 26

For the above assumed values public key for Alice is
of 8 bit and Bob’s public key is of 32 bit both are shared on the network.
While both of them agrees on a private key of 26 bit and this is not shared
over the network. An encryption key of up to 1024 bit can be used with current
cryptography techniques available and current internet infrastructure, however
security experts are looking for possibilities of 2048 bit size keys to be used
for encryption in near future.

Traditional attackers
are habitual of computing discrete logarithm problem which is though computationally
infeasible for large prime number. But still attackers are in practice to
attempt such a computational to obtain secret key, but inclusion of additional
factor of ASCII code will make it unpredictable for attackers that what is the
actual prime number and the attempt to compute public or private key will be
automatically fail, hence adding one more security factor to DH key exchange
algorithm to make it invincible. Use of Ephemeral Diffie Hellman Key exchange
algorithm is also desirable to provide Forward Secrecy to any key exchange and
hence to the communication.

Method- First we take
any prime number q and its primitive
root p then pick a secret key a and b for each party. After
that, compute qa mod p and pb mod q respectively. Exchange
the result (public key) with each other. For compute the secret key does same
operation ba mod p and ab mod p for getting the same
result which is a shared key for both parties.

 

Conclusion-
Firstly, the proposed model successfully achieves secure handshake using ” DH
with ASCII digit “which makes it infeasible for eavesdroppers to track or find
prime number sent on network and hence disable item to compute secret
key(private key).

Secondly, it secure the
session by converting a normal connection request into TLS request at server
level with the help of a shell script running at the server for service
requests received.

This model is a little
rigorous but it invokes pretty good security for cloud connection and provides
operational agility .Further scope of this model is implementation of such
security measures in cloud resource allocation systems using Banker’s or RAG
algorithms.