User Registration And Login Into Cloud Computing

Published Date: 02 Nov 2017

Before users are able to use a cloud storage service to back up or synchronize

personal data, they have to complete a registration process to become cloud user. Cloud storage providers usually require the creation of a user account before any cloud services can be used. it is important of the service provider to establish a single point of contact through which all subsequent configuration, logging .A user who wishes to entrust personal data to the service provider wants to be certain that he communicates with the intended service and all establishes a relationship of trust and contracts the service provider to perform its duties as pledged. During the registration process, the service provider and the new user agree upon some credentials which they used to log in and use the service.

Attack possibilities:

If at any time an attacker is able to snoop on the communication, he might obtain the user’s credentials, compromise the account and gain access to uploaded data.

If an attacker is able to change the exchanged messages on the communication between user and service provider, he might act as a proxy and fraud both of them.

To prevent these attacks, all communication channels between service provider and user must be secured in terms of confidentiality, authenticity, and integrity. Service providers need to authenticate themselves against the client machine by presenting a certificate; users can examine it and use it to verify that they are really communicating with the intended service provider. That way, they have a means to detect existing phishing attacks, where attackers host a website which looks very similar to the intended service and try to get users to enter their credentials.

Attack analysis in cloud computing

AMAZON:

For the registration with AMAZON, the user connects AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery. Regardless of whether you use the HTTP or HTTPS protocol, AWS requires that every message be authenticated. For API requests using SOAP, messages must be hashed and signed for integrity and non-repudiation. AWS services require that SOAP messages be secured using the WS-Security standard BinarySecurityToken profile, consisting of an X.509 certificate with an RSA public key. For API requests made using Query, a signature must be calculated and included in every request. In addition to authenticating the request, the signature utilizes a cryptographic hash algorithm before and after transmission to ensure the message is not corrupted or altered in transit. Data that has been altered or corrupted in transit is immediately rejected. Available cryptographic hashes include SHA-1 and SHA-256. AWS also supports the use of the Secure Shell (SSH) network protocol to enable you to connect remotely to your UNIX/Linux instances and gain access securely since all traffic is encrypted through SSH. Authentication for SSH used with AWS is via a public/private key pair to reduce the risk of unauthorized access to your instance. You can also connect remotely to your Windows instances using Remote Desktop Protocol (RDP) by utilizing an RDP certificate generated for your instance. For customers who require additional layers of network security, AWS offers the Amazon Virtual Private Cloud (VPC), which provides a private subnet within the AWS cloud, and the ability to use an IPsec Virtual Private Network (VPN) device to provide an encrypted tunnel between the Amazon VPC and your data center.

Registration and login security features:

AWS provides a number of ways for you to identify yourself and securely access your AWS Account. A complete list of credentials supported by AWS can be found on the Security Credentials page under Your Account. AWS also provides additional security options that enable you to further protect your AWS Account and control access: AWS Identity and Access Management (AWS IAM), key management and rotation, temporary security credentials, and multi-factor authentication (MFA).

AWS Identity and Access Management (AWS IAM)

AWS IAM allows you to create multiple users and manage the permissions for each of these users within your AWS Account. A user is an identity (within an AWS Account) with unique security credentials that can be used to access AWS Services. AWS IAM eliminates the need to share passwords or keys, and makes it easy to enable or disable a user’s access as appropriate.

AWS IAM enables you to implement security best practices, such as least privilege, by granting unique credentials to every user within your AWS Account and only granting permission to access the AWS services and resources required for the users to perform their jobs. AWS IAM is secure by default; new users have no access to AWS until permissions are explicitly granted.

AWS IAM enables you to minimize the use of you AWS Account credentials. Once you create AWS IAM user accounts, all interactions with AWS Services and resources should occur with AWS IAM user security credentials.

Key Management and Rotation

For the same reasons why it is important to change passwords frequently, AWS recommends that you rotate your access keys and certificates on a regular basis. To let you do this without potential impact to your application’s availability, AWS supports multiple concurrent access keys and certificates. With this feature, you can rotate keys and certificates into and out of operation on a regular basis without any downtime to your application. This can help to mitigate risk from lost or compromised access keys or certificates. The AWS IAM API enables you to rotate the access keys of your AWS Account as well as for users created under their AWS Account using AWS IAM.

In addition, you can now launch Amazon EC2 instances with access keys already provisioned on the instance and available for applications to use with AWS services. This can save significant time for customers who manage a large number of instances or an elastically scaling fleet using AWS Auto Scaling. To have credentials automatically provisioned on Amazon EC2 instances, you create an IAM role, assign it a set of permissions, and launch Amazon EC2 instances with the role. Another benefit of the auto-provisioned credentials is that the keys on the instance are rotated automatically multiple times a day.

Temporary Security Credentials AWS IAM enables you to grant any user temporary access to your AWS resources by using security credentials that are valid only for a limited amount of time. These credentials provide enhanced security due to their short life-span (the default expiration is 12 hours) and the fact that they cannot be reused after they expire. This can be particularly useful in providing limited, controlled access in certain situations:

ï‚· Federated (non-AWS) User Access. Federated users are users (or applications) who do not have AWS accounts. With temporary security credentials, you can give them access to your AWS resources for a limited amount of time. This is useful if you have non-AWS users that you can authenticate with an external service, such as Microsoft Active Directory, LDAP, or Kerberos. The temporary AWS credentials provide identity federation between AWS and your non-AWS users in your corporate identity and authorization system.

ï‚·Single Sign-On. You can provide your federated users with single sign-on access to the AWS Management Console through their corporate identity and authorization system without requiring them to sign into AWS. To provide single sign-on access, you create a URL that passes the temporary security credentials to the AWS Management Console. This URL is valid for only 15 minutes after it is created.

The temporary credentials include a security token, an Access Key ID, and a Secret Access Key. To give a user access to certain resources, you distribute the temporary security credentials to the user you are granting temporary access to. When the user makes calls to your resources, the user passes in the token and Access Key ID, and signs the request with the Secret Access Key. The token will not work with different access keys. How the user passes in the token depends on the API and version of the AWS product the user is making calls to.

AWS Multi-Factor Authentication (AWS MFA)

AWS Multi-Factor Authentication (AWS MFA) is an additional layer of security for accessing AWS services. When you enable this optional feature, you will need to provide a six-digit single-use code in addition to your standard user name and password credentials before access is granted to your AWS Account settings or AWS services and resources. You get this single-use code from an authentication device that you keep in your physical possession. This is called multi-factor

authentication because more than one authentication factor is checked before access is granted: a password (something you know) and the precise code from your authentication device (something you have). You can enable MFA devices for your AWS Account as well as for the users you have created under your AWS Account with AWS IAM.

AWS MFA supports the use of both hardware tokens and virtual MFA devices. Virtual MFA devices use the same protocols as the physical MFA devices, but can run on any mobile hardware device, including a smartphone. A virtual MFA device uses a software application that generates six-digit authentication codes that are compatible with the Time-Based One-Time Password (TOTP) standard. Most virtual MFA applications allow you to host more than one virtual MFA device, which makes them more convenient than hardware MFA devices. However, you should be aware that because a virtual MFA might be run on a less secure device such as a smartphone, a virtual MFA might not provide the same level of security as a hardware MFA device. It is easy to obtain hardware tokens from a participating third-party provider or virtual MFA applications from an AppStore and to set it up for use via the AWS website.

AMAZON attacks solutions:

Distributed Denial Of Service (DDoS) Attacks. AWS API endpoints are hosted on large, Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s largest online retailer. Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.

Man in the Middle (MITM) Attacks. All of the AWS APIs are available via SSL-protected endpoints which provide server authentication. Amazon EC2 AMIs automatically generate new SSH host certificates on first boot and log them to the instance’s console. You can then use the secure APIs to call the console and access the host certificates before logging into the instance for the first time. We encourage you to use SSL for all of your interactions with AWS.

IP Spoofing. Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.

ï‚·___ Port Scanning. Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. Violations of the AWS Acceptable Use Policy are taken seriously, and every reported violation is investigated. Customers can report suspected abuse via the contacts available on our website at: http://aws.amazon.com/contact-us/report-abuse/. When unauthorized port scanning is detected by AWS, it is stopped and blocked. Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed and are only opened by you. Your strict management of security groups can further mitigate the threat of port scans. If you configure the security group to allow traffic from any source to a specific port, then that specific port will be vulnerable to a port scan. In these cases, you must use appropriate security measures to protect listening services that may be essential to their application from being discovered by an unauthorized port scan. For example, a web server must clearly have port 80 (HTTP) open to the world, and the administrator of this server is responsible for the security of the HTTP server software, such as Apache. You may request permission to conduct vulnerability scans as required to meet your specific compliance requirements. These scans must be limited to your own instances and must not violate the AWS Acceptable Use Policy.

Packet sniffing by other tenants. It is not possible for a virtual instance running in promiscuous mode to receive or "sniff" traffic that is intended for a different virtual instance. While you can place your interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic. Attacks such as ARP cache poisoning do not work within Amazon EC2 and Amazon VPC. While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice you should encrypt sensitive traffic.

Scenario:

In this section, I will present the steps in the above three Cloud Providers for the three main process(registration, copy data and sharing data).

AMAZON registration steps:

To use Amazon EC2, you must sign up for a AWS Account, sign up for Amazon EC2, and sign up

for the Amazon Simple Storage Service (Amazon S3). These are three different actions that must

be performed separately.

Step 1:Signing up for Amazon EC2

To utilize the Amazon EC2 service, you will need to enable your AWS account for use with

Amazon EC2. If you don't already have an AWS account, you will be prompted to create one

as part of the sign up process. If you already have an Amazon EC2 account, you can skip this

step. To sign-up for Amazon EC2 simply perform the following steps:

Go to the Amazon EC2 homepage ( http://aws.amazon.com/ec 2 ) in your web browser.

1. Click Sign Up For Web Service in the top right of the screen and follow the

on-screen instructions.

Step 2:Signing up for Amazon S3

Amazon EC2 AMIs are stored in and retrieved from Amazon S3. This means you will also

need to sign up for Amazon S3. If you already have an Amazon S3 account, you can skip this

step.Go to the Amazon S3 homepage ( http://aws.amazon.com/s 3 ) in your web browser.

2. Click the Sign up for this service button.

Creating a KeyPair

An SSH keypair is used for several purposes including connecting to Linux/OpenSolaris

instances and retrieving your Windows Administrator password. To generate a keypair,

simply perform the following steps:

Logon to AWS management console https://console.aws.amazon.com and click on the

"Key Pairs" in the navigation menu.

1. Click on "Create Key Pair" button.

3. Type in a name for your KeyPair, and click the "Ok" button.

4. You will be prompted to open or save the .pem file. Select Save and them move to a secure

file location

5. Your KeyPair will now be created; remember this name, because you will use it later.

Step 3:Security groups:

1-Click on the "Security Groups" in the Navigation menu and then press the "Create

Security Group" button and enter a name and description.

2-Enter the allowed connections by selecting connection method SSH and press save.

This will allow access from an ssh client to logon to the instance.

3-Select the HTTP protocol from the connection method dropdown and press save. This will allow

HTTP access via port 80 to the instance.

Now you will have your security group setup.

Step 4:Launch Instance

Once you have the AMI selected, you can easily launch an instance by performing the

following:

1. Right click on the selected AMI and click on the "Launch Instance(s) of this AMI".

2- In the Number of Instances section, enter 1. This enables multiple instances to be

started.

3. In the KeyPair section of the pop-up box, select the KeyPair you created in the setup section.

This will associate your security KeyPair with an instance, so that you can connect to it.

4. In the Security Groups section, select the appropriate group and click on the right

arrow to move it into the Launch in box.

5. Click the "Launch" button.

6. Click "Instances" in the navigation menu and the instance will show up in the list in

the "starting" state. After about a minute or two it should reach the "running" state,

otherwise press the refresh button. If you are running a Linux/UNIX instance, it will be

ready to use. If you are using Windows, please right click on the instance, and select

"Show Console Output". When the text "Windows is ready to use" appears, your

instance is ready to use!

Step 5: Connecting to the Instance

To Connect from a windows client:

an ssh client needs to be installed. See the Appendix 1 on installing, configuring and

using PuTTY.

To connect from a linux client:

ssh -i xxx-keypair [email protected]

Windows Instance

1. Get the Windows Administrator by right clicking on the instance in the AWS

Management Console and clicking "Get Default Administrator Password".

2. Next you need to copy the contents of the keypair.pem file generated earlier and

press Decrypt Password to see the unencrypted password.

3. Copy the unencrypted password to somewhere safe.

4. On your windows machine go into remote desktop and logon to the machine using

the Public DNS.

5. Login as user "administrator" with the unencrypted password.

Note: Your security group must allow access to the RDP or SSH port.

At this point, you have now successfully gained access to your new instance!

Step 6:Create Bucket

1-. Click Create Bucket. In the Create a Bucket dialog box, in the Bucket Name box, enter a bucket name. The bucket name you choose must be unique across all existing bucket names in Amazon S3. One way to help ensure uniqueness is to prefix your bucket names with the name of your organization. After you create a bucket, you cannot change its name. In addition, the bucket name is visible in the URL that points to the objects stored in the bucket. Ensure that the bucket

name you choose is appropriate. In the Region box, select a region.

2- Click Create. When Amazon S3 successfully creates your bucket, the console displays your empty bucket in the

Buckets panel.

You've created a bucket in Amazon S3.

Step 7: Upload data in the bucket

1- Click the name of bucket where you want to upload an object and then click Upload.

2. In the Upload - Select Files wizard, if you want to upload an entire folder, you must click Enable

Enhanced Uploader to install the necessary Java applet.You only need to do this once per console

session.

3. Click Add Files.

A file selection dialog box opens:

• If you enabled the advanced uploader in step 2, you see a Java dialog box titled Select files and

folders to upload, as shown.

• If not, you see the File Upload dialog box associated with your operating system.

4. Select the file that you want to upload and then click Open.

5. Click Start Upload.

You can watch the progress of the upload from within the Transfer panel.

Tip

To hide the Transfer dialog box, click the Close button at top right in the Transfers panel.

To open it again, click Transfers.

Step 8:Download data from bucket

1-right-click the object that you want to move, and then click Cut.

2. Navigate to the bucket or folder where you want to move the object. Right-click the folder or bucket

and then click Paste Into.

Step 9: Data sharing

9.1: make your files publicity

Start S3 Browser and select the bucket that contains the files you want to share.

Select the files you want to share and open Permissions tab.

Click Make Public

Click Make Public button if all operations completed successfully, you will see the following message

Click the Copy button to copy web urls to clipboard.

copy web urls

ttp://pics-to-share.s3.amazonaws.com/DSC06258.JPG

http://pics-to-share.s3.amazonaws.com/DSC06259.JPG

Now these files are accessible to everyone. You can use generated web urls on your website or blog, or send them to someone.

9.2 sharing data with another user

1- start S3 Browser and select the bucket you want to share.

2- click Buckets -> Edit Permissions (ACL)

Bucket, Edit Permissions (ACL)

3-Permissions tab will open then lick More -> Add user by Email/ID

Bucket Permissions

4-enter or paste Email or Owner Id of the account 2.

5- check permissions you want to grant.

if you plan to allow file upload (the 'Write' permission) we recommend to grant the 'Read Permissions' too AND uploader (account 2) should also enable permissions inheritance in Tools, Options. This is important if you need access to files uploaded by another account (account 2).

6- click Apply changes

GOOGLE

RACKSPACE:

DROPBOX: