Enhancing the Access Privacy of IDaaS System Using SAML Protocol in Fog Computing

Fog environment adoption rate is increasing day by day in the industry. Unauthorized accessing of data occurs due to the preservation of Identity and information of the users either at the endpoints or at the middleware. This paper proposes a methodology to protect and preserve the Identity during data transmission of the users. It uses fog computing for storage against security issues in the cloud and database environment. Cloud and database architectures failed to protect the data and Identity of users but the Fog computing based Identity management as a service (IDaaS) system can handle it with Security Assertion Mark-up Language (SAML) protocol and Pentatope based Elliptic Curve Crypto cipher. A detailed comparative study of the proposed and existing techniques is investigated by considering multi-authentication dialogue, security services, service providers, Identity, and access management.


I. INTRODUCTION
Now a day, one of the essential services which can allow into the cloud-based organizations is Identity management as a service (IDaaS) [1]. It causes to enrich and deploy security services like accountability, authorization, and access control in the cloud environments [1]. Even though, Cloud paradigm environment plays a vital role in the computing field regards to monitor and control the data. IDaaS facilitates Infrastructure to Identity management as well as permits to turn towards the on-demand delivery model as modern techniques from a traditional approach to promise delivery model. Moreover, IDaaS offers various opportunities for cloud users and providers such as cost reduction, controlling on outsourced data, which is related to the user's identity [2]. It extends to that broadening its service offers in the direction of facilitating the security services.
Globally, advanced technologies like Fog and edge computing infrastructure [32]and blockchain technology [38] utilization rate increased due to maintains the vast amount of data that is collected from the IoT connecting devices.
The associate editor coordinating the review of this manuscript and approving it for publication was Gautam Srivastava . This Infrastructure has attracted by the users of a large number of connected automated devices. However, these computing systems use to analyze the storing data at cloud/fog concerning its characteristics like storage, computation, and analysis (SCA). In this proposed work a prototype developed and demonstrates how can IDaaS systems protect the privacy of a user's data. This prototype has designed and developed using Security Assertion Mark-up Language (SAML) identity management protocol [3], and a Pentatope based ECC (PECC) scheme [7] for executing the cryptographic preservation in cloud-based applications. This technique will enable an ID facilitator to provide required attributes to the service requestor without extract and read the values. In this way user's privacy preserves in respect of ID provider. An identity provider to serve attributes to other parties without being able to read their values, preserving in this way users' privacy concerning the identity provider [4]. A comparative analysis will be made concerning its performance using various Identity Management Protocols.
SAML is a standardized and secured with an excellent user experience. And uses as a SPOA means that single point of authentication [3]. At a secure ID (Identity) provider SAML based proposed system verifies the credentials of the user.
And monitor and check whether the user credentials crossing over the firewall boundary or not. It shows that not required to preserve or synchronize the IDs in any proposed cloudbased applications. It may cause to steals the data from the breaches of the storages [5]. PKI (public key Infrastructure) based SAML make available a strong security layer to protect the IDs over the security attacks [18]. Public Key Infrastructure (PKI) based PECC is used for extra security purpose like two level security.
The proposed work protocol helps to enhance privacy to the data of users/enterprise using Pentatope based ECC cipher (PECC) [7]. Related work or literature survey of the proposed work has mentioned in section 2. In Section 3 discussed the work which can used to improve the process of secure integrity checking of Identity of the cloud users through IDaaS (Identity as a Service) and PECC. Amazon EC2/Google App Engine Cloud Environment/ Set up used to implement the protocol and tested and analysed the attack possibilities as discussed in section 4.

II. LITERATURE SURVEY
Privacy and protection with authentication feature became a part in every communication system. Different identity management systems and protocols were offering the privacy and protection-based services with efficient management of identities and the keys. The initial steps to achieve privacy and protection are trust development among the entities.
Jing et al. [1] has proposed an authentication model using SAML protocol in the cloud environment. In this author analysed the security issues in bidirectional authentication process and to overcome this problem, a link is added using the certificate authority and the challenge response generated by the identity provider. It distributes the session key to the users and the service providers. It provides some methods that guarantees the session essential security, such that it solves some problems related to the information transmission. By the uniform identity resource management one can resist the occurrence of replay attacks in the resource transformation.
Indu et al. [2] has developed a model to provide to provide a secure identity and access management (IAM) system in the cloud environment. It was achieved by developing IAM with several authentication and authorization protocols. It depicts the validation of user identities and hiding of original identities of the user. It can be done by providing various security protocols in the cloud identity management system.
Wang et al. [3] proposed a mechanism which provides security to the identities as well as for the applications and access resources based on cloud environment. In the manual identity management system, there is a possibility that the third-party vendors may misuse the user credentials for malicious attacks in the cloud. So, a single-sign-on mechanism is introduced, which helps the user's one-time password to access applications and access resources every time. It depicted how the authentication is provided using OpenID, OAuth and SAML protocols [4]. No password sharing to the associated applications present in the cloud can be achieved by using these authentication protocols. Some authorization mechanisms are also introduced in this, which helps to permit or deny the access to cloud users for a particular resource. There by the process is purely transparent to the entities wishing to communicate each other for a specific service. This is helpful to reduce the incarnation of the identity theft attacks in the cloud environment.
Jiang et.al [5] analysed and spotted several security issues, identity threats and limitations in the cloud environment with prominence on identity and access management, security services. This study compares various protocols with their frequently used mechanisms with different perspectives.
From the existing literature we can notice that these protocols are used only to hide the identities of the end users communicating through the cloud but not for the information that is transmitted over the cloud by considering various parameters like Infrastructure as a service (IaaS) [6], [14].
The existed methods unable to focus on authentication validity [16], [20], [21] during the data flow over the cloud environment. To provide security for the identities and the information and the flow of data, proposed framework makes use of the SAML protocol, strong authentication sever and IDS servers for authentication purpose and Pentatope based Elliptic Curve Cryptography [7] to transfer the message in the encrypted format. To preserve the encrypted data similarity search schemes used in the existing system [19] which can successfully exploit by cyber stalkers with known cipher attacks.In the same way, some other approaches are discussed here which are related to cloud performance measurement, cloud applications and cloud platforms, etc.
Ahmad et al. [31] specified about importance of cloud-based software services scalability and its technical measurement. Here, considered the elasticity metric as a technical measurement for measuring the performance of a cloud. In this work, authors used two cloud-based systems such as Microsoft Azure and Amazon EC2. It extends to that work has given a comparison report between same cloud software services on the same platform of a cloud with difference scaling policies. Chaudhry et al. [32] proposed an authentication scheme; i.e. demand response management scheme (DRMAS). That uses to protect smart grid environment over the cloud infrastructure. The main motive of this work is to reduce the known attacks and improve the efficiency of the utility center. It extends to that helps to secure the transferring data among the connected components over Internet of things (IoT).
Ali et al. [33] proposed an improved scheme (iTCALAS) over the temporal credential based anonymous lightweight authentication scheme (TCALAS) [42]. The main objective of this work is reducing the security challenges over Internet of Drones (IoD). Utilization rate of unmanned aerial vehicles increasing day by day due to their portable nature and openness communication architecture. It may cause to increase the cyber-attacks on the sensitive data that is transmitting among the IoD connecting devices. iTCALAS gives solutions to the security challenges over IoD.
Abdalla et.al [35] proposed an authentication key exchange protocol. It helps to secure the password whenever sharing among multiple parties over a network. To design and developed, the proposed approach, here, authors followed three party scenarios without using Random Oracle Model [41]. In this work authors discussed about in secure 3-party password-based cipher key exchange protocol. As well as described about the security models for two party password based vital exchange. Table 1 shows the comparison among the related works by considering some characteristics like security services, performance measurement and Authentication protocols. Here, the integrity and confidentiality services considered as security services to analyze with the existing approaches. Some authors [31], [39] have used OAUTH and OPEN ID protocols as authentication protocols to verify the communication data and user's identity. In the proposed approach considered SAML as authentication protocol due to its unique factor like SPOA [3]. Table 1 shows proposed system will be provides both the security services.

III. ANOMALY DETECTION
It is a cloud based anonymous authentication protocol. The proposed cloud environment consists of some components to provide authentication that includes anonymity based VOLUME 8, 2020 IDaaS system. Authentication Server, Secure ID Server, SAML Protocol and Pentatope found Elliptic Curve Crypto Cipher (PECC) are the essential components of the proposed cloud based protected authentication protocol as shown in Fig. 1. In the traditional cloud, there are significant security risks which are related to information maintenance among multiple mobile users [18], [23]. For example, a hacker can deploy malware application on any device in the cloud environment based on which location can possible to exploit the vulnerability [8]. Hence, required to adopt a protocol that can able to perform continuous auditing or monitoring the communication along with integrity verify. Let us consider the following things that are pre-requisite to define the cloud based SAML and PECC based anonymous authentication protocol. Each client needs to register to the Fog based authentication server (AS) who wants to participate in the communication. It must be authorized each party before going to join in the communication based on registered information. Necessary client attributes are maintained in protected way using SAML and PECC and holds at cloud server. Next prerequisite is all clients need to communicate via web application and web browser because of presence of components on cloud infrastructure. One more prerequisite is that authentication server and Identity management (ID) server share the attributes to validate and provide the authorization tokens/tickets to the inventors as shown in Fig 2. Protocol 1 address the authentication dialogues related to Client 'A' initiation request to Authentication Server 'AS' to get an authentication token from AS. It helps to prove him (Client 'A') as an authorised person at Identity based server (IDS) like Zero Knowledge based protocol (ZK protocol) [24], [26] for doing further processing.
With the reference of an authorised encrypted token received from Authentication Server (AS) from Fog environment, Client A takes initiation to get a ticket by proving himself as a trusted registered node at ID server (IDS) which has resided at cloud environment. Protocol 2 addresses the authentication dialogues between Client 'A' and IDS. It shows issuing of an authorised encrypted Ticket along with a secret key to Client 'A' after done verification. Protocols 3 shows that the authorised parities communication after proved them self to each other as an authorised party with the reference of Ticket (random time stamp based) issued by IDS [24].
In this privacy and preservation communication process, the data never is preserved at any location [17]. Session based communication can reduce the authentication attacks. Hence the requested and verified and issued information always participate with the time slot or nonce. After completion of the session every user should need to prove himself as an authorised person and needs to get a token and ticket if they want to continue the communication. Through this approach can able to reduce ID theft attacks [34], Data loss attacks [38], [39] from the attackers through the breaches of data storage locations [22]. Data can protect from the cyber stalker through PECC [7] and SAML [3] as well as can improve the confusion and diffusion [43] factors by adding session time as an additional feature to the dialogues. It can resist also the forgery attacks by adding session time and double spending authentication verifying process as an integrity checking.

Protocol 1 Initiation Request by User 'A'
Step 1: Client A desires the Authentication server (AS) with ID A || Request where ID A = Identity of Client A Step 2: AS verifies the ID A Step 3: If ID A = True then: where E k AS-IDS = Encryption Key between AS and IDS T 1 = Time stamp between AS and Client A.
Step 4: Else: Notify to register in the cloud based AS server and drop the connection.
Note: Client A has no access to the encryption key provided by AS and only IDS sever can decrypt the key.
By getting authorisation from the AS, Client A forwards the request to IDS as follows:

Protocol 2 Zero Knowledge Based (ZK) ID Proof Protocol
Step 1: where ID B = Identity of Client B.
Step 2: IDS verifies the request.
Step 3: If True then: where E K −SAML IDS-B = Encryption key between IDS and Client A. RK A−B = Random Key between A and B. T 2 , T 3 = Time stamps between respective server and client.
Step 4: Else: Notify incorrect attributes and drop the connection.
Note: Client 'A' has no access to encrypted key provided by IDS, it can only be decrypted by Client 'B'.
After getting authorised by both the servers, Client A communicates with Client B as follows: Note: Client B has no access to the encrypted key existing between AS and IDS, it has only access to the key provided between IDS and B, so that B can decrypt it.
Cloud based communication parties based on the proposed method, first sends a request to the authentication server (AS) with its Identity, AS checks the user attributes and if the user is authenticated it sends a token along with the timestamp. Client A is unaware of the encrypted token sent by AS, further it is forwarded to the identity management server (IDS) and the key is decrypted only by IDS using the shared attributes between AS and IDS. It in-turn sends the encrypted ticket and a random key with timestamp to the client A. It transmits the PECC encrypted message to the client B. It has no access to the encrypted ticket. Client B receives the request and to decrypt the message, it gets authenticated by both the servers. This method has been analysed with the existing techniques as discussed in section 4.

IV. COMPARISON ANALYSIS
In this section, the comparisons of proposed protocol with the existing protocols are shown in table 2. The characteristics of the proposed protocol also referred in table 2 such as authentication, Authorisation, Secure communication and Maintenance and Integrity. These characteristics achieved by process of various algorithms like PECC [7], SAML [3], Zero Knowledge (ZK) protocol [24] and Cloud and Fog [32] based data maintenances. This protocol helps to achieve the issues facing in cloud-based communication system by Multi level integrity checking includes in fog computation. But the common technical perspectives considered by the majority of the researchers or academicians are measuring the elasticity of cloud services [32]. Elasticity measures by various factors such as time shares, time length, reconfiguration time, scalability and accuracy in different states (over provisioned and under provisioned).
Along with elasticity also other factors affect the performance of the cloud services such as authentication protocols, integrity checking, and data privacy mechanisms. In this paper, we have given authentication protocols that can enhance the cloud/fog performance in terms of secure communication. It reaches by reducing the cyber-attacks on cloud. And also shows effect on response time for the data communication and data computation. The latency time of proposed protocol evaluated by finding the delay between request of user 'A' and response of proposed application. It is also referred as elasticity measurement. It extends to that the communication costs and the communication numbers in the VOLUME 8, 2020 proposed protocol is maximum than other protocols. This is caused due to the cloud server should need to verify authenticity of the requests received from clients. The other one is server must securely return an acknowledgment to the client which can helps to integrity checking.

V. RESULTS AND ANALYSIS
To get the computational performance, we simulated the parties' communication using Visual studio 2012, Windows Azure cloud and cloud server. This system performance is better than existing protocols like Lightweight NFC protocol [24], ID based public auditing protocol [5], Uniform Identity Authentication method [1],etc. Computation, Communication, Memory and Time are main important performance metrics a fog application. Computation and communication time are less due to separate cloud environment were maintained for Authentication server and Identity (ID) server. The proposed system is reliable and cost efficient like as shown in Fig.3. Attack rate, Response Time, Computational speed and latency have been considered as functional factors here to test the performance of the proposed protocol. By maintaining the distributed architecture the attack rate (unauthorised accessing) [34] and latency (delay between user action and application) [40] are less comparatively others. By adding authorization and confidentiality approaches like SAML [3], PECC [7], ZK protocols [27] to enhance security to the data communication via cloud and fog where the response time and computation speed affected.

Protocol 3 Authorised Parties Communication
Step 1: Client A transmits the encrypted message to Client B. Client A → Client B: where E RK A-B (Msg) = Encrypted message using PECC from client A to B Step 2: Soon after receiving the request Client B needs to be authorized in-order todecrypt the message.
Step 3: AS authenticates ID B .

VI. CONCLUSION AND FUTURE SCOPE
The proposed work can improve the cloud features in terms of security through continuous auditing among different communication components. This work main objective is IDaaS based cloud integrity checking protocol development with privacy preservation and authentication features. This protocol can resist even forgery attacks, ID theft attacks and authentication attack through double spending authentication mechanism among Authentication server (AS), Identity management Server (IDS) and users. In future, we would like to enhance this work over the resource limited edge devices like the IoT end devices. RIZWAN  He is the leading authority in the areas of smart/intelligent, wireless, and mobile networks' architectures, protocols, deployments, and performance evaluation. His publication history spans over 250 publications in journals, conferences, patents, books, and book chapters, in addition to numerous keynotes and plenary talks at flagship venues. He has authored and edited more than 25 books on cognition, security, and wireless sensor networks' deployments in smart environments, published by Taylor & Francis, Elsevier, and Springer. He has received several recognitions and best papers' awards at top international conferences. He also received the prestigious Best Research Paper Award from Elsevier Computer Communications journal for the period 2015-2018, and the Top Researcher Award for 2018 at Antalya Bilim University, Turkey. He has led a number of international symposia and workshops in flagship communication society conferences. He currently serves as an associate editor and the lead guest/associate editor for several well reputed journals, including the IEEE COMMUNICATIONS SURVEYS AND TUTORIALS and Sustainable Cities and Society (Elsevier).
LEONARDO MOSTARDA (Member, IEEE) received the Ph.D. degree from the Computer Science Department, University of L'Aquila, in 2006. He is currently an Associate Professor and the Head of the Computer Science Department, Camerino University, Italy. He cooperated with the European Space Agency (ESA) on the CUSPIS FP6 Project, to design and implement novel security protocols and secure geo tags for works of art authentication. To this end, he was combining traditional security mechanisms and satellite data. In 2007, he was a Research Associate with the Distributed System and Policy Group, Computing Department, Imperial College London, where he was working on the UBIVAL EPRC Project in cooperation with Cambridge, Oxford, Birmingham, and UCL for building a novel middleware to support the programming of body sensor networks. In 2010, he was a Senior Lecturer with the Distributed Systems and Networking Department, Middlesex University, where he founded the SensoLab, an innovative research laboratory for building energy efficient wireless sensor networks. VOLUME 8, 2020