Article Preview
Top1. Introduction
The usage of public cloud based applications (Gartner 2017) such as Whatsapp, Twitter, Facebook and collaborative applications, Pay TV systems are increasing. The vulnerabilities such as credentials gain are also increasing. Security is the major concern over the usage of many cloud based applications. (Özkan, S. 2016) presents the data source of security vulnerabilities. During the year 2012–17, 75 credentials gain information vulnerabilities found in cloud computing environments such as VMware, Openstack and XEN. When sensitive data is stored in public cloud environment, client is not sure about existence of data in cloud. Figure 1 shows credentials gain vulnerabilities during 2012–16. The number of vulnerabilities found in year 2016 is more compared to previous year. Table 1 describes vulnerabilities information of the year 2017. It also indicates the need of securing the keys.
Cloud computing covers three basic service layers Software as a service (SaaS), Platform as a service (PaaS) and Infrastructure as a service (IaaS). At SaaS layer (Syed Hussain 2017), attacks on API’s, web interfaces cause unauthorized access of data and access of private keys. The attackers exploit cross site scripting on interfaces that leads to grab credentials. As per Ponemon 2014 SSH (Secure Shell) security Vulnerability Report (Ponemon. 2014), vulnerability of SSH also causes to extract key credentials to login into root access. Multitenancy (Hashizume, Rosado, Fernández-Medina, & Fernandez, 2013) also causes risks of sensitive information leakages.
In IaaS, the virtualization provides isolation among virtual machines. The attacker’s exploits side channels (Zhang, Juels, Reiter & Ristenpart, 2012) to extract private keys due to co-location of virtual machines on the same physical machine. The adversary places it’s VMs alongside the victim VM and acquires important information. Side channels include execution time, power consumption, heat, electromagnetic radiation, or even sound level emanating from a device. Flush + Reload (Irazoqui, Inci, Eisenbarth & Sunar. 2014) cache attack used to grab ELGamal, RSA, AES Keys. Timing attack (Paul Kocher.1996), causes to extract key by monitoring the time it takes for cryptographic operation. VM-cross channel attack, memory disclosure attack, cache attack and Row Hammer attack (Thomas Ristenpart, Eran Tromer, Hovav Shacham & Stefan Savage. 2009), (Rui Qiao & Mark Seaborn. 2016) presents key leakages in collocated VMs in a single physical host. Row Hammer (Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida & Herbert Bos 2016), (Rui Qiao & Mark Seaborn 2016) is one of the cross virtual attacks that modifies the bits in the key and steal the cryptographic key contained in the victim virtual machine from co-resident virtual machine. (Leonid Domnitser, Aamer Jaleel, Jason Loew, Nael Abu-Ghazaleh & Dmitry Ponomarev 2012), Jingfei Kong, Onur Aciicmez, Jean-Pierre Seifert, & Huiyang Zhou 2008) proposes solution to prevent cache attack at hardware level which is expensive.