Secure Cloud Data Storage System Using Hybrid Paillier–Blowfish Algorithm

: Cloud computing utilizes enormous clusters of serviceable and man-ageable resources that can be virtually and dynamically reconfigured in order to deliver optimum resource utilization by exploiting the pay-per-use model. However, concerns around security have been an impediment in the extensive adoption of the cloud computing model. In this regard, advancements in cryptography, accelerated by the wide usage of the internet worldwide, has emerged as a key area in addressing some of these security concerns. In this document, a hybrid cryptographic protocol deploying Blowfish and Paillier encryption algorithms has been presented and its strength compared with the existing hybrid Advanced Encryption Standard (AES) and Rivest Shamir Adleman (RSA) techniques. Algorithms for secure data storage protocol in two phases have been presented. The proposed hybrid protocol endeavors to improve the power of compared to the existing schemes using RSA and AES procedures have been demonstrated.


Introduction
Recent developments in cloud computing have transformed the eld of computing as well as its utilization of resources. Cloud computing has seen unprecedented adoption, leading to the widespread distribution of computing power in order to deliver diverse and adaptable services on demand over the internet through the virtualization of hardware and software. However, security remains a crucial impediment to large scale adoption of cloud computing. While cloud storage has revolutionized the way computation and storage is accomplished by the utilization of external storage sources, cementing the advantages of the cloud computing paradigm is not viable till it ensures a safe computing platform, trusted by customers and establishments.
Cryptography is a basic tool used to design and analyze security protocols in a communication system. It is frequently applied to attain key security goals. Therefore, designing a novel and effective cryptographic algorithm is an active area of research. In this document, a host of cryptographic techniques for establishing security and privacy is presented. Along with this, the limitations of traditional cryptographic systems in the cloud and the need for homomorphic cryptosystems and cryptographic mechanisms employing the Paillier Homomorphic cryptosystems are mentioned in Section 1. In Section 2, the motivational scenario and the primary offerings outlined in this paper are mentioned. Section 3 provides a literature survey. The proposed hybrid cryptographic technique is discussed in Section 4. The suggested algorithm for a secure data storage protocol is provided in Section 5. The numerical analysis of the proposed and existing hybrid cryptosystems is discussed in Section 6. Finally, Section 7 discusses the conclusion and the future scope of research.

Cryptographic Primer
The proliferation of information and the resultant upsurge in the demand for novel storage solutions and improved network bandwidth has propelled a widespread interest in robust and cost-effective cloud storage services. Nevertheless, despite all its striking capabilities, cloud services, despite its innovative nature, continues to be riddled with numerous security concerns, owing speci cally to its outsourcing and multi-tenancy features. Security has turned out to be a vital concern in today's era of widespread internet usage. Viable remote storage schemes necessitate the presence of security features that are inevitable in cloud storage, such as, con dentiality, integrity, and availability. Besides these, factors like authentication, authorization, audit are also important (see Fig. 1) [1][2][3].
Cryptography delivers elementary algorithms, also termed as cryptographic primitives, combined with a symmetric-key or a public-key structure for securing the data such as encryption, hash function, and digital signature schemes. Some terms related to cryptography are shown in Fig. 2 [1].

The Cryptographic Mechanism in the Clouds
Although traditional cryptographic systems assure delivery of robust levels of security, numerous de ciencies inherent in them diminish the effectiveness of these traditional schemes, speci cally, de ciencies that are exacerbated by the enormous volumes of outsourced records. This greatly effects the availability and security parameters, as well as the performance of cloud delivery systems and services, especially the parameters related to bandwidth, memory, and power management. Consequently, acceptable levels of cryptographic interventions are of utmost signi cance.  The rst thing to consider, when employing an unveri ed security system from a cloud service provider, is the fact that the customer chooses to encipher information that is to be outsourced to distant servers. Here, the huge volumes of data make the practice of traditional asymmetric procedures unsuitable and ineffective. Secondly, the bandwidth ingestion and obtainability requirements of classical algorithms becomes unsuitable in this environment and the ef cient sharing of keys for exible data sharing and the preservation of the con dentiality constraints become paramount. Therefore, the need for innovative interventions in order to overcome the above limitations become necessary.
With regard to cloud computing models, con dentiality infers that the customer's sensitive information and computational errands need to be safeguarded from both cloud providers and illegal consumers. Integrity relates to both data integrity as well as to process integrity. The former requires that information must be reliably stored in the cloud without any violation like data loss, etc. Process integrity refers to the computations being performed so that the programs can be implemented without being corrupted by malware, malicious users or any incorrect computation that cannot be easily detected. Availability ensures that the data is always physically safeguarded against any attack, etc. Authentication implies that unauthorized users cannot access the network. Authorization ensures that only authenticated users are allowed to access information. Finally, audit enables a systematic evaluation of information security.
Homomorphic cryptography (HC) [4] is a kind of cryptographic scheme whose encryption function is a Homomorphism, and thus conserves group operations accomplished on cipher-texts, guaranteeing con dentiality and protection. In this segment, we rst familiarize the reader with the notion of HC and subsequently provide a review of the well-known HC schemes used in cloud storage environments. Next, we discuss Paillier HC. A general privacy-preserving protocol includes two entities, Bob with a secret function f , and Alice with a set of inputs {x 1 , x 2 , x 3 , . . . , x n } without disclosing her inputs. If Bob's function can be premeditated as a homomorphic function, then Alice can transmit the encoded data to Bob. Bob can then perform the required homomorphic computations, randomize the resultant cipher-text and revert the encrypted result to Alice. Upon decryption, Alice is left with z = f {x 1 , x 2 , . . . , x n }. A Homomorphic encryption consists of four main functions as shown in Fig. 3 [4]. Pascal Paillier developed an additive, probabilistic and non-deterministic asymmetric algorithm intended for communal key cryptography in 1999 [5]. It can compute an encryption of (m 1 + m 2 ), when only the public key and the two messages m 1 and m 2 are given. It is identical to RSA and uses separate keys for encoding and decoding. It is secure against chosen plaintext attacks and is malleable. It is used in electronic voting, electronic cash, etc.

Motivational Background and the Key Offerings of the Paper
The consumers presume that the cloud service suppliers ensure safe transmission of their data that is transmitted from the client's premises to the cloud servers. However, it is imperative that the key safety issues are addressed and carefully handled by the service provider. Therefore, it is important that cloud consumers do the due diligence in choosing suitable cloud service providers to ensure all safety protocols are addressed appropriately.
Following is a summary of key considerations we made in this study: • The important security factors in terms of con dentiality, integrity, and accessibility of the anticipated scheme with respect to attacks were con rmed.
• The outcomes of the intended method were validated to ensure improved and pro cient security measures.
• It was ensured that the proposed hybrid algorithm enhanced the performance of the system as a result of data partitioning.
• It was ensured that the planned algorithm provided a higher hardening index as compared to the existing approach.
• Increased values for throughput and stream length computed in blocks of ciphers were attained.

Related Work
As one of the most sought-after technologies of current times, research on cloud computing and especially cloud security is widespread and broad. Taha et al. [6] mentioned that a large amount of data is transmitted through the internet every day. So, the need to transfer data ef ciently and effectively is achieved through encryption and decryption techniques. The author discussed several algorithms, namely Triple DES, AES, Blow sh, and Krishna and computed parameters like throughput and time consumed in encrypting data for each algorithm. Wu et al. [7] provided an evaluation of three common encryption techniques for different block sizes of data blocks. Rani et al. [8] underlined that ensuring data security is the most dif cult task today in a cloud system. They suggested hybrid encryption, RSA and AES for ensuring trustworthiness, consistency, and ef ciency. Waleed et al. [9] mentioned techniques to improve the security of the cloud and the user's privacy. The authors stated that ensuring security and privacy in the cloud system could be a valuable point for cloud database researchers, designers, and vendors. Keerthana et al. [10] utilized IBM Bluemix cloud computing environment to provide the designers with a versatile tool to create their web and portable applications. The detailed architecture of Bluemix and the encryption and decryption algorithms were discussed.
Siregar et al. [11] outlined le security as a technique for providing security parameters through cryptography. The authors compared the Blow sh method with AES and an AES-Blow sh hybrid which provided high throughput. Chaudhary et al. [12] emphasized that security played a vital role in data transmission. The paper dealt with a hybrid approach combining RSA-AES and digital signatures which provided data authentication. 1024 bits public keys of the RSA algorithm were used for veri cation purposes. Encryption and decryption were performed using hybrid RSA and AES. The result and analysis of AES private key generation and RSA private key and public key generation, Digital signature private and public key generation and a comparison between different cryptographic and hybrid techniques were performed. Jyoti et al. [13] suggested that new threats required strong security tools in order to control and understand the privacy leaks and to ensure availability and authentication as opposed to attacks. MAES and SHA-512 hybrid approach were employed. Gajendra et al. [14] emphasized upon the storage and usage of personal data by different users on the cloud that demanded security and protection. The paper used third-party auditors and identity-based encryption to enhance the security of the les. Sharma [15] suggested a system that classi ed the data according to the security parameters assigned. The basic algorithms of ensemble learning were modi ed to improve the prediction capability and classi cation accuracy. Wang et al. [16] proposed that sourcing data led to safety issues. Thus, the truthfulness of sourced data should undergo mandatory checks by clients as a way of safeguarding their data. The computational complexity for key generation, storage, and transfer operations were compared.
Wang et al. [17] suggested that electronic health records bene t from cloud storage. Keyword search on patient health record was employed to enhance data security and the cipher-text generated was stored in the cloud, while proxy re-encryption guaranteed the legitimacy of access and privacy of data. Vyas et al. [18] discussed cloud computing and its deployment models. The cloud storage with its advantages and disadvantages were mentioned. General cloud stowage design and several safety necessities were discussed. The generated meta-data checked the data integrity and was stored at the end of the input le. Metadata was encoded by using AES-256 cryptographic algorithm, and hash of the original le was created using the SHA-256 algorithm.

The Proposed Hybrid Cryptography Protocol
The anticipated hybrid cryptography protocol intends to construct a competent and safe encryption algorithm constructed on the integration of the encryption procedures to transmit data in cloud-based systems. The planned hybrid system investigates the input and output for a combination of encryption procedures against the existing hybrid algorithm. The projected hybrid approach considers the following combinations of encryption algorithms: • Amalgamated encoding procedures using RSA and AES techniques.
• The fusion of Paillier and Blow sh encryption processes. Novelty statement: The purpose of the projected hybrid cryptography algorithm is to de ne a speedier and safe encryption algorithm in terms of hardening index and safer against malware injection attacks as opposed to previously presented algorithms.
Four setups are expounded upon in the framework: • Storage of encrypted information over the cloud by means of the RSA-AES hybrid technique.
• Storage of encoded info over the cloud by the RSA-AES hybrid technique without Blocking rules for the attacks.
• Collection of encrypted info over the cloud storage using Paillier-Blow sh Encryption without compression.
• Accumulation of encoded data over the cloud storage using Paillier-Blow sh Encryption with compression and blocking rules to halt attacks using rewall protection.
In the uploading phase, before the user stores his data over the cloud, the data is partitioned according to its type every single time. The proposed hybrid cryptographic scheme consists of two phases, one for encryption and the second for decryption. The security of the partitioned les for each user is ensured using the provided encryption procedure. The partitioned les are encrypted with the hybrid cryptographic algorithm. The various pieces of data are merged at the server and sent to decryption block. Fig. 4 explains the encryption process involved using both hybrid techniques.
In the decryption process, the partitioned les are decrypted to provide more protection. The encryption time and decryption times along with the le size and a corresponding hardening index of choosing systems are taken as comparison parameters. Fig. 5 describes the decryption process i.e., the reverse transformation of cipher-text to its original clear text.    The reason for utilizing the symmetric encryption process as a method of recovering the data from the cloud is a consequence of key distribution issues and the utility of homomorphic encryption is to reduce the overhead of decryption operations. In this section, the algorithms used for uploading and downloading phase are described. Algorithm 1 is employed for uploading of information to diverse cloud-based systems which meet storage capacity constraints. Here, a le is distributed into several sections depending upon its type and a corresponding Hashmap for each chunk is generated. Next, on each chunk, Paillier encryption is performed which encrypts and transform the data into cipher-text and generates its Hashmap again. For each pair of hash and generated cipher-text, these shares are then distributed to diverse cloud stores. At the end of uploading process, each segment is again encrypted using the Blow sh algorithm. Thus, we propose a method for the secure sharing of cloud info and provide a reliability assurance to customers using the aforementioned algorithms.

Implementation
We implemented a prototype of the model and analyzed the results with Ubuntu 16.04 1 on Oracle VM Virtual-Box 5.1.20 2 . Python 3 2.7.3 has been used for the implementation of the encryption algorithms. For simulation of cloud security, Fog server has been utilized on account of its ease of access and its policies which are attuned to the infrastructure available at hand. A security audit tool Lynis which is an open source shell script host-based tool for operating systems like Unix, Linux, Solaris 10, MAC, etc. and supports different plugins, compliance checks, and customs checks is employed to calculate the Hardening index which is a unique metric indicative of how well security vulnerabilities have been kept to a minimum in the system. In addition, it provides warnings and suggestions and detailed system logs based on the security tests that have been performed. ArcherySec 4 has been used as a vulnerability assessment and management tool.
Encryption processes are classi ed into block ciphers and stream ciphers based on the nature of the input data. Block cipher is an encryption procedure that takes xed size input (generally of the order of bytes) and produces the corresponding enciphered output. The block ciphering mechanism can be implemented in a variety of ways. Now here, we determine to conjoin the diverse styles of functioning of a block cipher and generate new properties, thereby enhancing the security of the core block cipher. The length of the message is generally higher than the block size. Consequently, the long message is sub-divided into a chain of sequential message blocks, and the cipher functions on these blocks one by one. Below we describe the various avors of block ciphering mechanism that are employed in order to bolster the strength of the core block cipher: • Electronic Code Block (ECB) mode encrypts the leading block of plain-text to generate cipher-text and follows the identical process with the similar key and so on.
• Cipher-text feedback (CFB) encrypts and transmits plain-text immediately one and only at a time with a 'feedback' to encrypt the subsequent plaintext block.
• In Cipher block chaining mode (CFC), the existing plaintext block is summed to the preceding cipher-text block and the outcome is encoded with the key.
• Output Feedback mode (OFB) mode comprises nourishing the consecutive output blocks from the fundamental block cipher back to it.
• Counter mode (CTR) is a counter-based form of CFB sans the feedback. It doesn't propagate transmission errors at all.

Analysis
The realized protocol is believed to competently deliver security guarantee to clients conditioned on the cloud service providers being stringent in their actions against malicious or illegal users. The truthfulness, obtainability and privacy security constraints in the event of both interior and exterior attacks were validated. Also, detailed general information, vulnerable software packages, and possible con guration issues in both the proposed hybrid approaches were understood using the Lynis security auditing tool. It gives a view of what components in the system pose the greatest security risks and are thereby the high priority targets of hardening projects. We evaluated the performance of different algorithms based on a list of parameters. We have categorized them into two broad groups: Computation overhead parameters and quality of service parameters.
We discuss these parameters in detail below: The Performance analysis of the proposed hybrid security algorithm was done from the twin perspectives of numerical and security analysis.

Numerical Analysis
The constraints for assessing the system performance are mentioned in this section. The most signi cant parameter that is characteristic of the performance of the system is the computation time needed to accomplish the operations under consideration. Compression helps in reduction of space complexity and calculation time. The other parameters that are considered are also de ned below.
Cipher-text le size of different le types (text/image/pdf/video/docx) is calculated and listed in Tab. 1. Paillier and Blow sh scheme with compression provides a signi cant improvement in performance as compared to RSA-AES hybrid scheme in case of text, image, video, docx, and pdf les.
The bar graph for encrypted le size using Paillier and Blow sh (with compression) and RSA + AES is shown in Fig. 7.   Tab. 2 depicts the le encryption and Decryption time using Paillier and Blow sh with and without compression and RSA-AES techniques. Encryption time is the time taken for encoding information in such a way that only authorized users can access the information. Decryption time is the time taken to reverse the process of encryption i.e., transformation of the encoded data back into its input form. We have calculated time using formulae tailored to the chosen encryption algorithm.  where, InputFilename is the le to be encrypted; OutputFilename is the encrypted le; and NewFilename is the decrypted lename. Different switches used are 'e' for encryption, 'd' for decryption, 'p' for the password, and * 'o' for output.
Calculation of encryption and decryption time using Blow sh with compression is done for different le types using the formulae mentioned below: time ./bcrypt -r Filename Calculation of encryption and decryption time using Blow sh without compression is done for different le types using the formulae mentioned below: time ./bcrypt -rc Filename  (1) where, elapsed encipher and decipher time is calculated by total encipher and decipher times divided by number of threads respectively.      The corresponding graph is shown in Fig. 13. Clearly, augmented time in Paillier-Blow sh hybrid approach is as desired.

Security Analysis
The overall system functionality can come to a standstill if the system is under attack. Using iptables in a script, we have blocked the attacks by creating rewalls in the proposed system. The script is present in Paillier-Blow sh hybrid approach and is absent in RSA-AES hybrid approach.
An iptables chain rule speci cation consists of a number of parameters given as options to the iptables command. Each rule in a Firewall comprises of certain conditions and an action to be taken if conditions match entirely. We have utilized the command iptables [-t table]{-D/-A/-C} chain rule speci cation where, iptables is employed to set up, preserve, and examine the tables of IPv4 packet lter rules in the Linux kernel. Every chain is a set of rules applicable to a set of packets and acts as a guide on what to do with the packet; −A appends one or more rules to the culmination of a certain chain; −C checks whether the rule corresponding to the description does occur in the selected chain and doesn't alter the existing iptables con guration as opposed to −D which obliterates one or the other rules from the selected chain.
The following commands are used to block common attacks like SYN and side-channel attack, to drop null packets and to drop incoming packets with fragments.
-For SYN packets checking, the command is sudo iptables -A INPUT -p tcp!--syn -m state NEW -j DROP -For checking side-channel packets, the command is sudo iptables -A INPUT -p tcp--tcp -ags ALL ALL -j DROP -For dropping null packets, the command is: sudo iptables -A INPUT -p tcp--tcp -ags ALL NONE -j DROP -To reject receiving packets with chunks sudo iptables -A INPUT -f -j DROP For security analysis, we have employed Lynis 2.7.1 which is an open source safety assessment tool for systems executing Unix-derivatives. A report, including the outcomes (cautions and recommendations) and wide-ranging information such as detailed security logs is generated. The Lynis security audit tool can be instantiated using the following command. sudo ./lynis audit system The proposed hybrid Paillier-Blow sh with compression approach is compared to RSA-AES approach on the Hardening Index parameter. Hardening index evaluates the number of tests performed on the system. It is used for managing a rewall and aims to provide an easy interface to the user.  These major inferences summarize the main contribution of the research carried out which aimed to analyze cloud security issues and propose a hybrid algorithm to augment the information security triad in a cloud computing environment involving multi-cloud scenarios. It is apparent that the suggested scheme achieves consistent outcomes based on the le type, reduction in computation time, and a decrease in le size. This hybrid technique will amplify the safety of the key and enhance data protection.

Conclusion
Cloud computing has become the infrastructural base for future computing paradigms. Yet, the security vulnerabilities in a cloud-based system persist as a vital bottleneck. So, a fusion of homomorphic and symmetric algorithms has been proposed to deal with cloud data security issues. Multi-cloud systems eliminate the drawbacks of a single cloud system. Security traits like con dentiality, integrity, availability, authorization, and non-repudiation for multi-cloud storage are supported. The main motivation and key contributions of the paper are listed. Architectural details and protocols for the proposed hybrid system is discussed. To create a virtual environment, the simulations have been executed on an Oracle Virtual Box on the Ubuntu platform. A comparative study of the prevailing hybrid scheme against the proposed hybrid system is done in terms of various parameters. For security analysis, attack analysis is used on both the discussed hybrid architectures. The encryption and decryption time of Paillier and Blow sh without compression is approximately 2.5 times higher than RSA-AES.
The encryption and decryption time of Paillier and Blow sh with compression is approximately 10% better than RSA-AES. The cipher-text size of Paillier-Blow sh with compression is signi cantly better than the RSA-AES combination for all types of les. The Hardening index for the Paillier-Blow sh amalgam system is much higher speci cally, 28% better than the RSA-AES combination. In work that will be carried out in the near future, hybrid algorithms will be created from a plethora of algorithms and characterized using results of our work. We also anticipate research efforts that would shed further light on secure encryption schemes for le protection and data preservation with the help of simple scripts and programs.

Funding Statement:
The authors received no speci c funding for this study.

Con icts of Interest:
The authors declare that they have no con icts of interest to report regarding the present study.