On the Security of A Remote Cloud Storage Integrity Checking Protocol

TL;DR

This paper critically examines a cloud data integrity checking protocol, revealing security flaws that allow undetected data modification and failure to prevent offline guessing attacks, thus questioning its effectiveness.

Contribution

It identifies and demonstrates security weaknesses in a recent efficient cloud data auditing protocol, challenging its claimed security features.

Findings

Attackers can modify data without detection.

Zero Knowledge protocol fails to prevent offline guessing.

Security flaws undermine protocol reliability.

Abstract

Data security and privacy is an important but challenging problem in cloud computing. One of the security concerns from cloud users is how to efficiently verify the integrity of their data stored on the cloud server. Third Party Auditing (TPA) is a new technique proposed in recent years to achieve this goal. In a recent paper (IEEE Transactions on Computers 62(2): 362-375 (2013)), Wang et al. proposed a highly efficient and scalable TPA protocol and also a Zero Knowledge Public Auditing protocol which can prevent offline guessing attacks. However, in this paper, we point out several security weaknesses in Wang et al's protocols: first, we show that an attacker can arbitrarily modify the cloud data without being detected by the auditor in the integrity checking process, and the attacker can achieve this goal even without knowing the content of the cloud data or any verification metadata maintained by the cloud server; secondly, we show that the Zero Knowledge Public Auditing protocol cannot achieve its design goal, that is to prevent offline guessing attacks.