A Proficient Mechanism for Cloud Security Supervision in Distributive Computing Environment

The cloud-IoT based computing is being frequently used in plentiful areas like business management, customer relationship supervision, communications and partnership, office efficiency suits, accounting applications, online storage management, electronic mails and shared calendars, human resource and employment etc. There are many benefits of cloud computing like scalability, 24/7 support, high order computing, pay as much as you use, virtual reality and dynamic communication systems. At the same time cloud computing has certain negative aspects like safety, lockin, deficiency of power and trustworthiness. The safety is a major distress in cloud computing. So, in this research work the author is focusing on various protection concepts, issues, concerns, and safety threats [1, 2].

The NIST defined the Cloud Computing architecture by unfolding five important characteristics, three building blocks and four cloud deployment representations [3]. Further, NSIT defined three service representations of cloud computing which are known as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The SaaS provides the software and applications products to the users on demand throughout the internet. The PaaS provides the compatible platform to the users as per their demands across the global network for developing software products using available libraries and tools. The IaaS provides infrastructure to the users as per their demands across the internet.

The cloud representation is divided into four type’s namely Private cloud, Community cloud, Public cloud and Hybrid cloud. In the case of Private cloud, the cloud infrastructure is provisioned for exclusive use by a single organization which has multiple consumers and numerous business units. In Public cloud, the cloud infrastructure is available for open use by the general public. In Community cloud, the cloud infrastructure is exclusively provided for specific community of consumers. In Hybrid cloud, the cloud infrastructure is a union of two or more dissimilar cloud infrastructures [3, 4]. The deployment of SaaS, PaaS and IaaS in a cloud network is presented in fig. 1(a) and fig. 1(b) where secure and speedy data access through IaaS, PaaS and SaaS will remain the main concern of end users and cloud facility providers in hybrid, protected and private clouds based distributive computing environment. The fig. 1(a) describes different ways of providing and managing customers’ oriented services using of SaaS, PaaS and IaaS in a cloud computing network. The fig. 1(b) presents the cloud deployment model where private, protected and hybrid clouds will interact with each other for providing SaaS, PaaS and IaaS types of services to the customers in a secure cloud network. The cloud security supervision and providing efficient access of cloud services are the core concerns of this paper.

The current computing paradigms like single computing, distributed computing, software oriented architecture and networking are building blocks of cloud computing. There are many problems which are related to cloud computing paradigm. These problems can be divided into different categories namely Safety, Protection, Identity management, Resource management, Power / Energy management, Data isolation, Resource Availability, and Resource Heterogeneity [5, 6, 7]. There are several technologies and many leading companies which are providing cloud network services like Microsoft Cloud Technologies, Oracle Cloud Technologies, Oracle Mobile Clouds and Google Cloud Technologies. The Microsoft was the first to provide cloud technologies and applications which were sufficient for all types of business needs. The Microsoft provides all the three services i.e. SaaS, PaaS, and IaaS. For Infrastructure as a service, Microsoft provides Windows server and system canter. For Platform as a Service, it provides Windows Azure with which any one can build, host and scale applications in Windows data center. It also provides SQL SERVER and VISUAL STUDIO. For software as a Service, Microsoft provides office 365, office share point server, and dynamic CRM with exchange server facility [8, 9, 10].

CUSTOMER MANAGES

1(a) Providing services using of SaaS, PaaS and IaaS in a cloud network.

1(b) The cloud deployment model.

Fig.1. The deployment of SaaS, PaaS and IaaS in a cloud Network [12, 13, 14].

In this research work the author has tried to solve the security challenges of cloud computing by studying and analyzing major cloud computing safety concerns, and safety threats which are expected in future generation cloud computing systems. Here, the author has proposed an encoding protocol known as the cloud CCMP (Counter Mode Cipher Block Chaining MAC Protocol) for information safety to prevent various attacks when the data is being transferred between the Cloud and a local network. The prevention mechanism for unauthorized access of data within the Cloud is also presented. A secure and flexible framework to support self-organize and self register of consumer’s information in to the cloud network is designed. Further, in this research paper safe-cloud-IoT architecture for smart transportation / transmission system is designed and computationally analysis of proposed architecture is also presented.

The major research objective of this research work is to introduce CCMP based genuine encoding and decoding techniques which will be used for security enhancement of cloud-IoT integrated distributed computing systems. Further, compare the performance of proposed CCMP based genuine encoding & decoding techniques with existing CBC-HMAC technique in terms of pass zone and fail zones p _vai_ues using standard statistical data analysis tools in cloud computing environment. In the existing scenario, the CBC-HMAC based techniques are being mainly used for providing security in cloud-IoT integrated computing environment. But, it is observed by the author during experimental analysis of results that the CCMP based encoding and decoding techniques can provide better security than CBC-HMAC technique to the customers in the cloud-IoT integrated distributive computing environment. The author hopes that the use of CCMP based encoding and decoding techniques can provide further enhanced security to the customers while accessing IaaS, PaaS, and SaaS services in the cloud-IoT integrated distributive computing environment.

The body structure of this research work includes five sections namely introduction (section I) , literature review and theoretical foundation (section II) , the methodology (section III) , performance evaluation and statistical data analysis (section IV) and conclusions (section V) . The section I describes the need and interaction of cloud security related components. The section II describes about the theoretical foundations of cloud security concerns and review of existing literature. The section III describes the methodology for secure cloud computing framework and the CCMP based genuine encoding & decoding techniques. The section IV describes the performance evaluation and statistical data analysis of proposed methodology using average of mean and standard deviations of p _va i _ues and 1 — p _va iues for CCMP and CBC-HMAC techniques. The section V describes the concluding remarks and future research directions.

2.    Literature Review and Theoretical Foundation of Cloud Security Concerns

Many of the researchers, academicians and industry experts have tried to describe the term cloud computing and its distinctiveness. The researchers Buyya et al. [10] have described as “Cloud is an analogous and dispersed computing system which consists of a group of interrelated virtualized computers and these computers are enthusiastically provisioned and accessible as one or more integrated computing assets recognized throughout cooperation between the service provider and customers.”

The authors Van Bon et al. [7] confirmed that a cloud is a huge collection of readily serviceable and reachable virtualized resources that may be enthusiastically reconfigured to fine-tune with a modifiable load and it optimizes the consumption of resources including IaaS, PaaS, and SaaS. The collections of resources in cloud-IoT integrated distributive computing environment are provided as per the rules of use-per-pay method. At this point of time the prevention of uncertainties are presented by the infrastructure provider according to rules and regulations described in the contract agreement. The researchers Miller [8] authentically said that the clouds are hardware dependent facilities that may provide distributive computations, internetwork and data / information storage abilities with astonishingly stretchable communication capabilities.

The principles of safety are Confidentiality, Authentication, Integrity, Non repudiation, Availability and Access control. In Confidentiality only the sender and the receiver can share the information. By Interception Attack, confidentiality can be broken by listening to the communication between the sender and the receiver. The fig. 2(a) shows the loss of confidentiality due to interception attack e.g. packet sniffing or snooping [19, 20]. The lack of confidentiality in fig. 2(a) is due to the involvement of intruders while several data are being sent and received between sender and receiver.

Sender

Secret

Message

Receiver

Intruder

2(a) Loss of confidentiality due to interception attack.

Sender

I am User A

Intruder

2(b) Loss of authentication due to fabrication attack

Fig.2. Loss of Confidentiality and Authentication Due to Interception and Fabrication Attacks.

The authentication identifies who is who in the communication network. The absence of authentication will increase fabrication attacks and masquerading. The fig. 2(b) shows the loss of authentication due to fabrication attack. The integrity ensures that the message from sender to receiver travels without alterations. The loss of message integrity is a type of modification attack e.g. some sites are SSL 128 bit encoded . In Non-Repudiation, the sender or the receiver cannot deny or refuse that the sender has not sent or the receiver has not received any message. The availability means that the resources /application must be available to authentic users as per service agreement. Attackers may disrupt the availability such as Denial of Service (DOS) [21, 22, 23, 24].

In order to manage the access control, a control access list is prepared which can provide us control and access related information like what can be accessed by whom. The two types of attacks are active attack and passive attack . In the case of active attack, the modification is done in the content of original message such as Masquerade, Modification, DOS and Replay. But, in the case of passive attack, there is no modification involved in the content of original message e.g. release of message contents & traffic Analysis. Some of the other attacks are packet sniffing or snooping, packet spoofing, phishing and socially engineered attacks. Since, the cloud-IoT integrated distributive computing is used by multi-users, numerous enterprises and varied infrastructure. Therefore, innovative cloud-IoT integrated distributed security concerns like velocity of attack, Multi-tenancy, data / information privacy, data / information assurance, and possession holding must be included in the design of next generation cloud computing systems.

Fig.3. The Cloud-IoT integrated safety method

• 2.1.    Securing Physical Layer

• 2.2.    Securing Hypervisor

• 2.3.    Securing Virtual Machines

• 2.4.    One Time Passwords

• 2.5.    Governing and Operating in Cloud-IoT integrated Computing Environment

It is to be guaranteed that the physical server can be protected in such a way that only certified users have authority to use the server. In order to secure physical layer safety, the network service provides access privilege to administrators, users and other work groups. The security providers can disable the unused hardware such as the NIC’s, USB ports or drives in order to avoid copying of some malicious data by malicious users.

Hypervisor safety ensures that the hypervisor is not attacked by any attacker. Hypervisor is secured by installing safety updates and the software updates make sure that the software is up to date. The Hypervisor management system (HMS) can be accessed by configuring strong safety on the firewall between the management system and the network. The HMS provides direct access to administrators managing server. The administrators can prevent unauthorized access of cloud data by unknown users.

The VMs (virtual machines) can be protected by hardening the virtual machines. The thing which may be the major point of attack in cloud-IoT integrated distributive system is the hardware meets software (HMS) network. The HMS will be able to control and manage the hypervisor. The security of VMs may further consist of virtual machine isolation (VMI) and VM hardening concepts. If one of the virtual machines of cloud-IoT integrated distributive network is suddenly attacked by network intruders and if it is by chance compromised then that specific virtual machine should be isolated from the remaining VMs for ensuring that the attackers don’t get full command over the remaining virtual machines of the network and the corresponding infrastructure. The hardening is a way of changing the default configuration in order to achieve greater safety features. The denial of services (DoS) attacks can be prevented by restricting the resources which are to be consumed by virtual machines. The specific cloud-IoT integrated distributive operations like performing penetration testing of the guest operating systems and vulnerability scanning will be able to safeguard the virtual machines which are being used in cloud based systems [28, 29, 30, 31].

The operating system should be updated on very regular basis and the security related software products should be updated from time to time in the cloud-IoT integrated environment for managing the security related issues. The identity management is another concern because public cloud infrastructure has multiple users who are belonging to multiple organizations. The inclusion of multi-layers of safety like biometric authentication and multifactor authentication can make sure that only authentic users can login to the cloud-IoT integrated distributive computing system [2, 11].

In the case of federated identity management (FIM) multiple organizations use the data in a trusted and secure way by ensuring the authenticity of users e.g. it has been seen by the LinkedIn users that the LinkedIn Login is connected with Facebook Login page. The Facebook and LinkedIn might have establish a trust relationship with each other so that they are not aware of passwords but if you login to LinkedIn through facebook then facebook will tell LinkedIn in a software mechanism that this is an authorized user. The open ID is one of the standards for identity federation [32, 33, 34, 35].

Every new access request requires new password. It is a measure against “password compromises”. It enables organizations to authenticate their users of cloud service using the chosen identity provider. The users identities across different organizations can be managed together to enable collaboration on cloud. It is an open standard for decentralized authentication and access control and it can be used by allowing users to log onto many devices using the same digital identity.

Fig.4. The overview of Governance and Operations in Cloud Networks.

Now, in the current era of cloud computing services can challenge several compliance audit necessities like data location and cloud computing safety policy transparency in agreement auditing efforts. The examples of the agreement requirements include privacy and laws; Payment Card Industry (PCI) requirements; and monetary reporting laws [36, 37]. It may be possible that the data cannot be traced for a specific period of time in the cloud. But, on later the operating system of cloud server will know the exact location of data. Therefore, its fast retrieval will become possible in the situations of disaster. In the cloud computing representations, the primary cloud service provider may outsource capabilities to third parties who may also have outsourced the recovery process. This will further bring difficulty for the whole cloud computing system if the primary cloud service provider does not ultimately hold the cloud data. The fig. 4 shows an overview of cloud safety mechanism of cloud computing systems [20, 21, 38].

The intrusion detection software products play an important role in providing securities in cloud networks. These products are used at server level as well at the network level. At network level they do packet sniffing and see whether there is a pattern of attack in the network traffic and at server level they monitor the different operations that how the process es are accessing the system. They monitor the usage of operating system at server level and check there is an intrusion happened in our server and also prevents the attack. Data in cloud should only be accessed by authorize user. Data in cloud should not be accessed by an normal employee i.e. finance data cannot be accessed by the human resource (HR) department and HR department data cannot be accessed by any normal employee. So, role based access control (RBAC) is us in this situation. The BRAC provides additional level of safety and it ensures that only authorize can access the particular resource whether it is a website or a hardware of cloud computing systems [39, 40, 41, 42].

Fig.5. The SecC Framework for Cloud Networks [22, 24, 43, 44].

3.    The Methodology 3.1.    The Secure Cloud (SecC) Computing Framework

In the case of cloud services where user to server networking is needed, the encoding input ‘K’ lasts for the complete data transmission duration. In each session of cloud, a new encoding input needs a unique 13 bytes nonce value N for each encoded MAC Protocol Data Unit (MPDU). The nonce ‘ N’ confirms that duration of encoding inputs K are larger and any repeated attack will be traced and let down by the system. Here, ‘ N’ is built using 48 bits package numeral (PN), 48 bits target internet protocol address (A2), and 8 bits precedence [26]. Governance refers to the policies, processes, laws and institutions that define the structure by which companies are directed and managed [24, 43, 44, 45, 46].

• 3.2.    The CCMP Based Genuine Encoding Technique

The CCM/CCMP is a true encoding procedure which is also known as CCM creator dispensation. The procedure starts by using variation of CBC-MAC to work out the MIC label from the simple text MPDU, AAD and nonce . The MIC label is then updated to the MPDU and then these two are consequently encoded with the help of counter form. The CCMP does not need an independent method for decoding. The decoding is automatically concluded if once the MIC label is confirmed without any fault by the party pursuing decoding. In the case of CCM, a client can choose a MIC label value from a chain of ‘t’ € {4,6,8,10,12,14, 16, 18, 20, 22} bytes. The CCMP yet has unchanged MIC label ‘t’ = 8 [41].

In order to execute genuine encoding, CCM/CCMP uses five inputs i.e. encoding input ‘ K’ , nonce ‘ N’ , simple text ‘M’ , Additional Authenticated Data AAD and a numeric significance for nonce ‘ ’ . The encoding input K is 128 bits. This input is obtained during the IEEE four-way handclasp. The nonce ‘N’ is constructed from the 48 bits package numeral (PN), the 48 bits target IP address (A2), 8 bits precedence of MPDU header and its dimension is 13 bytes. The simple text M is the MPDU which excludes the 8 bytes MIC label and the 8 bytes MPDU header. The AAD is the additional authenticated data which is obtained from the MPDU header. Its size is 22 bytes to 30 bytes. The AAD is made up of frame control, source IP address, Destination IP address, source MAC address and quality control. The user will have to assign a value for the changeable nonce ‘N’ before implementing encoding method. The authenticated encoding process is described and presented in fig. 6.

Fig.6. The CCMP based authenticated encoding [26, 54, 55].

7(a) The construction of Additional Authenticated Data (AAD)

48 Bits                   48 Bits                     8 Bits

<-----------X------------X----->

PACKET NUMBER (PN)

DESTINATION IP ADDRESS (A2)

PRIORITY (Pr)

7(b) The construction of Nonce ( N)

Fig.7. The Additional Data Authentication and Nonce Construction in Authentication Encoding of Cloud Networks.

The value of package numeral (PN) is augmented every time using a counter for allocating an unmarked package numeral to each MPDU. Here, no redundancy of package numeral will occur for the identical encoded input. A novel AAD is created for all transmitted MPDU. The 13 bytes nonce ‘N’ is created from 48 bits package numeral, 48 bits target IP address A2 and 8 bits precedence field of MPDU header. A fresh package numeral and key ID are used for designing CCMP header.

The encoding input K, AAD, nonce ‘N’ and simple text data M will now be used to calculate the value of ciphertext ‘C’ and MIC label (‘t’). The cipher text and MIC label are computed using existing algorithms and their encapsulation outcomes are transmitted as authentic encoded data to the recipient. The fig. 6 shows the diagrammatical description and implementation of reliable encoding technique which generates the Cipher text (‘C’) and MIC label (‘t’) [51, 52]. The construction of 13 bytes nonce ‘N’ from PN, target IP address A2 and the precedence field of MPDU header is presented in figures 7(a) and 7(b) which will represent the Additional Authentication Data (AAD) and nonce ( N ) [53, 54].

• 3.3.    The CCMP Based Genuine Decoding Technique

The CCMP authenticated decoding method uses following five inputs:

Input 1: The 128 bits encoding input ‘ K’ which is obtained from IEEE 4-Way Handshake.

Input 2: The 13 bytes Nonce N.

Input 3: The encapsulated MPDU. This excludes the MIC label and MPDU header). Input 4: The AAD which is 22bytes to 30 bytes and it was obtained previously.

Input 5: The changeable nonce ‘N’ which has already been derived in the encoding method.

After putting these five inputs at right position the legitimate decoding method will be initiated using following steps [26]:

Step 1: The encapsulated MPDU is uncovered of MAC header and CCMP header.

Step 2: The new AAD is created from the uncovered MAC header.

Step 3: The nonce ‘N’ is created from PN, A2 and precedence.

Step 4: The MIC label ‘t’ is obtained from the encoded MPDU after processing.

Step 5: The encoding input K, Nonce N, and encoded MPDU are calculated for creating the original simple text MPDU. This calculation is completed by encoding the encoded MPDU.

Step 6: The Nonce N, new AAD and encoding input K, are calculated for creating the new MIC label ‘t’.

Step 7: Now, the latest and aged MIC labels are compared for verifying the accuracy and reliability of the ADD and encoded MPDU.

The proposed method is assume to be thriving if ‘t=00’ otherwise FALL SHORT communication message will be demonstrated. In this technique the CCMP doesn’t need a separate decoding method because the decoding is involuntarily completed if once the authenticity of MIC label ‘t’ is confirmed without any error. The decoding method of CCMP authenticity verification can be represented by fig. 8 [51, 52, 53].

Fig.8. The CCMP Based Authenticated Decoding.

4.    Performance and Statistical Analysis of Secure Cloud Networks

The unpredictability is a probabilistic characteristic. The certain existing methods can be used to explain and analyze the concept of probability. The researchers [42, 44, 46] used a geometric tool called DIEHARD [48] for verifying the pseudo-randomness personality of RSA’s BSASE and JSAFE random number generation algorithms. The analysis of geometric results proves that JSAFE and BSAFE are accurate for originating pseudo-random series of numbers. The NIST of USA used geometric analysis tool which included 18 tests for selecting Rijndael block cipher in order to replace 3DES [40]. The Rijndael was selected by AES block cipher as a better option for pseudo-random number generation because of its best performance.

The exercise of geometric study in analyzing the performance of cryptographic systems can never be overlooked. The researcher Alani [36] used DIEHARD geometric tool for investigating the randomness distribution of zeros and ones for the cipher texts which were generated by AES-256, 3DES, Blowfish-448 and Serpent-256. Here, simple graphs were used to understand the geometric results which were based on 50 – 50 distribution of zeros and ones. Alani used P vaiues from every test to design graphs which were having three regions namely Doubt, Safe and Fall-short. The outcomes proved that Blowfish-448 and AES-256 have best distribution of p _va i _ues in safe region. Further, NIST [40] geometric test agreed with the results Alani [36] and proved that AES is a superior Pseudo Randomness Function (PRF) . The task of author in this geometric analysis is to examine and prove that CCMP is as good as CBC-HMAC (CipherBlock-Chain key Hash-Message-Authentication-Code) or CCMP is better than CBC-HMAC.

If the data of simple text is encoded by a PRF then the cipher text generated will be a muddled up allocation of ‘0’s and ‘1’s in the result. This allotment of 0’’s and ‘1’s must be 50% - 50% for a superior PRF [30, 18]. Every geometric investigation test is a simulation and integration of different test stages. Any particular test has the capacity to include a wide range of simulation related problems and it can expose all the safety linked problems which were never taken into considerations in theoretical study of systems. The geometric testing of CCMP and CBC-HMAC encoding technique without viewing the corresponding source codes can help us in understanding and measuring the performance of these approaches without any discrimination. Further, it is the fact that the superiority of forecast in geometric investigation tests remains convincing on the majority of occasions. Therefore, a believable logical move is essential for analyzing the PRF behavior of CCMP and CBC-HMAC techniques.

• 4.1.    The Selection of 48-bit IP Addresses for CCMP and CBC-HMAC

It is continuously observed by the researchers that the 32-bits IPV4 addressing scheme is little short for video communication in cloud and IoT based environment whereas 128-bits IPV6 addressing scheme occupies large amount of memory space and it has high memory wastage. Therefore, to overcome these problems of IPV4 and IPV6 the authors used 48-bits IP addresses in developing CCMP and CBC-HMAC communication protocols. The 48-bit IP addressing scheme is compatible with 32-bits IPV4 and 128-bits IPV6 address.

The 1st address, 2nd address, 2nd last address and last address of 48-bits addressing scheme can be written as follow:

1st address = {00000000; 00000000; 00000000; 00000000; 00000000; 00000000}

2nd address = {00000000; 00000000; 00000000; 00000000; 00000000; 00000001}

2nd last address = {11111111; 11111111; 1.1.111111; 11111111; 11111111; 11111110}

Last address = {11111111; 11111111; 11111111; 11111111; 11111111; 11111110}

The total number of addresses generated in 48-bits IP addressing scheme of CCMP and CBC-HMAC communication systems will be 2 ⁴⁸ (281 trillion addresses approximately) where each address will be of 48-bits. These many addresses are more than enough for storing video images and voice signals in cloud and internet of Things (IoT) based computing environments.

The total number of addresses generated in 32-bits IP addressing scheme of IPV4 is 2 ³² (4.29 billion addresses approximately) where each address is of 32-bits. These many addresses are very short for storing video images and voices signals in cloud and IoT based computing environments. Therefore, high speed video communication using IPV4 is not possible in cloud and IoT based environment. If we map 32-bits IP addresses of IPV4 with 48-bits IP addressing scheme of CCMP / CBC-HMAC then this mapping can be represented by Eq.(1).

(IP Address Space ofCCMP or CBC _HMAC) = (2 ¹⁶ x (IP Address Space of IPV4)        (1)

The total number of addresses generated in 128-bits IP addressing scheme of IPV6 is 2128(3.40 x 1026 trillions) addresses approximately where each address is of 128-bits. These are huge amount of addresses and are far beyond the amount of addresses required for our day-to-day video communication in cloud and IoT based communication environment. Hence, video communication using IPV6 will have huge amount of wastage of memory space while providing video communication between end users in cloud and IoT based environment. If we map 128-bits IP addresses of IPV6 with 48-bits IP addressing scheme of CCMP / CBC-HMAC communication approach and 32-bits IP addressing scheme of IPV4 then this mapping can be represented by Eq.(2) and Eq.(3).

IP Address Space of IPV6 = 2 ⁸⁰ x (IP Address Space of CCMP or CBC _HMCA ) (2)

IP Address Space of IPV6 = 2 ⁹⁶ x (IP Address Space of IPV4) (3)

The computational analysis of Eq.(1), Eq.(2), and Eq.(3) shows that the amount of address space occupied by 48-bits IP addressing scheme of CCMP / CBC-HMAC is in the multiples of IPV4 and IPV6. Further, the CCMP and CBC-HMAC approaches are compatible with IPV4 and IPV6 addressing schemes. Hence, integration of CCMP and CBC-HMAC approaches with IPV4 or IPV6 communication environment will be easily possible.

• 4.2.    The Selection of Statistical Testing Tool

• 4.3.    The Selection of Experimental Data

• 4.4.    Defining Importance Level ( a )

• 4.5.    The Assessment of p _vaLues and 1 - p _vaLues

Choosing a geometric test toning set above the other involves considerations of several factors e.g. effortlessness of use, minimizing the needs of computing, and exactness. In current era NIST test suite is being frequently used by researchers and scientists for geometric analysis and testing.

In order to generate convincing geometric test results, this investigation requires using the sample data of size ≥ 1024KB. After conducting rigorous robustness testing the author found that the DIEHARD test suite effectively processed 18MB sample data file which was separately encoded using CCMP and CBC-HMAC. On the other side it was seen by author that The NIST test suite crashed several times while processing the sample data of size ≥ 1024KB. This experiment reveals that DIEHARD geometric testing tool gives better performance than NIST [48]. Hence, the author used DIEHARD tool for geometric testing. The table 1 presents 18 DIEHARD geometric tests and corresponding relevant p _values [34, 40].

The 20MB colororacle.org file was used as sample for this experiment. This file was independently encoded using CCMP and CBC-HMAC encoding techniques. The ensuing cipher texts, colororacle.ccmp and colororacle.cbc-hmac were forwarded into the eighteen DIEHARD geometric tests to yield colororaclereport.ccmp and colororaclereport.cbc-hmac . These reports generated approximately 242 p _values . The p _values generated in the colororaclereport.ccmp and colororaclereport.cbc-hmac were the quantification of random distribution for ‘0’s and ‘1’s in colororacle.log after encoding it by CCMP and CBC-HMAC.

Table 1. The Statistical Tests for DIEHARD and the corresponding p _V aiues

Type of DIEHARD Test Conducted		Pva.l.ues	Chi Square Test	KS-TEST
1.	Binary Position Test of 32x32 Matrices	2	√	√
2.	Birthday Spacing Test	9	×	√
3.	Bit Flow Test	20	×	×
4.	Overlapping Five Combination Test	10	×	√
5.	The OQSO	29	×	×
6.	Binary Position Test 8x10 Matrices	25	×	×
7.	Count the ‘1’s Test on Flow of byte	2	√	×
8.	Binary Position Test 34x34 Matrices	3	√	×
9.	The Smallest Distance Test	20	√	√
10.	Count the ‘1’s Test for particular byte	26	√	×
11.	The Craps Test	2	√	√
12.	The 3D Sphere Test	20	×	√
13.	The Overlapping Sums Test	3	×	×
14.	The OPSO	24	×	×
15.	The Runs Test	4	×	×
16.	The DNA Test	31	×	×
17.	The Parking Bundle Test	10	×	√
18.	The Compress Test	2	√	×
Sum of Results		242	7	7

The variable a is defined as the chance of discarding a Null Assumption even if it is accurate. It is also known as category I defect. If a researcher considers the testing of PRF in safety form then he / she should present a as the chance that the test will give negative results despite the fact that the form is a true PRF. In other words a is the smallest prearranged value under which a Null Assumption can be discarded. Here, 0.01 <  a <  0.31. For the purpose geometric test a is watchfully fixed near to 0.05.

The p _va i _ue is also called as probability / possibility value . The р _раие represents the possibility for a specified statistical representation that if the Null Assumption is exact then the statistical review will be alike or superior to the actual experimental outcome. However, Johnson’s explanation of р _ра;_ие has been disproved by researchers [42, 43]. The author argued that there is nothing random about whether a Null Assumption is true or false. This research work defines р _ра;_ие as the determination of supremacy of evidence observed in experimental data besides H 0 . The р _ра;_ие is interrelated to a and H₀. The H 0 is acknowledged if р _ра;_ие > a , and is abandoned if p _va i _ue <  a [2].

• 4.6.    The Estimation of Guarantee Point

• 4.7.    The Estimation of Null and Alternate Assumptions

• 4.8.    The Estimation of Success and Fall Short Criteria

The researchers [42, 43, 44] recommended that guarantee point provides more information than р _уа 1 _ие5 . The researcher [43] raised a question that “A confidence interval provides both an estimate of the effect size and a measure of its uncertainty”. For the purpose of geometric test the guarantee point is calculated using following procedure:

(1 - a ) x 100% = (1 - 0.050) x 100% = 95.00%

Definition 1: Null Assumption ( H 0 ) was defined by [41] which is the declaration about the geometric allocation of one or additional variables in a specified trial data. In the proposed analysis H 0 is used to compare the PRF of CCMP and CBC-HMAC.

Definition 2: The Alternate Assumption (H i ) was defined by [41]. It is the substitute declaration for the geometric distribution of variables in a specified trial data. The value of H i is believed to be true if Null Assumption fails. The Alternative Assumption (H i ) is used in the geometric analysis of this research work to prove that CCMP is superior to CBC-HMAC.

After understanding the research of [36] and [42], this research has adapted the proposed approach as the root for defining the pass and fall short criteria. Therefore, the fall short and pass used by the proposed work for interpretation of results are accurate and trouble-free.

The next source for deciding pass and fall short criteria is connotation stage, which is set at 0.050 (5%). It gives confidence level of (1.0 - 0.050)x100% = 95.00%. Each set of 242 р _уа 1 _ие5 are converted into a diagram. Here, every graph is divided horizontally and vertically into different key areas using following inference rules (IRs):

• IR 1 : The р _уа 1 _ие5 less than the 0.050 significance point are in the Fall Short Zone (F ZA ) . Therefore, these values will be considered as fall short test cases.

IR 2 : The certain р _уа 1 _ие5 which are equal to or below 0.00 levels are considered as Completely Fall Short Zone (CF _Z ) . These р _уа 1 _ие5 will play a deciding role in the case of equal score conditions.

IR 3 : The р _уа 1 _ие5 greater than or equal to 0.050 and less than 0.40 are in the Tolerable Zone (T _Z ) Therefore, these values are tolerable.

IR 4 : The р _уа 1 _ие5 greater than or equal 0.40 and less than 0.60 are considered within perfect region called Ideal Zone (I _Z ) . These р _уа 1 _ие5 values are imminent for 50%-50% predictable distribution of ‘0’s and ‘1’s.

IR ₅ : The р _уа 1 _ие5 greater than or equal to 0.60 and less than 0.95 are in Satisfactory Zone (S _Z ) . Therefore, these р _уа 1 _ие5 are fine and adequate.

IR 6 : The р _уа 1 _ие5 equal to 0.95 are assumed to be Good Enough Zone (GE Z ).

IR 7 : The р _уа 1 _ие5 greater than 0.95 are assumed to have entered in Fall Short Zone (F _ZB ) beyond Assurance point.

It is very clear from these rules that an excellence quality PRF should have maximum р _уа 1 _ие5 in the range of IR4 and minimum р _уа 1 _ие5 in the range of IR 1 , IR 2 and IR 7 . If two techniques have same PRF values in the range of IR4 then different possible combinations of the union of IR 3 , IR 4 , IR 5 , and IR 6 should be used for making decisions.

After analyzing the above inference rules from IR 1 to IR 7 the author firmly states that the conditions represented by Eq.(4) to Eq.(11) will always remain true where as Eq.(12) and Eq.(13) may or may not be true if and only if CCMP is a better PRF than that of CBC-HMAC:

{CCMP[FzA(Pvalue)] + CCMP[FzB(Pvalue)]} < {CBC_HMAC[FzA(Pvalue)] + CBC_HMAC[FzB(Pvalue)]}

{CCMP[FzA(Pvalue)] + CCMP[CFz(Pvalue)]} < {CBC_HMAC[FzA(Pvalue)] + CBC_HMAC[CFz(Pvalue)]}

{CCMP[F zA (P value )] + CCMP[CF z (P value )] + CCMP[F zB (P value )] }<

{CBC_HMAC[FzA(Pvalue)] + CBC_HMAC[CFz(Pvalue)] + CBC_HMAC[FzB(Pvalue)]}

{CCMP[T z (P value )] + CCMP[I z (P value )] + CCMP[S z (P value )] } >

{CBC_HMAC[Tz(Pvalue)] + CBC_HMAC[Iz(Pvalue)] + CBC_HMAC[Sz(Pvalue)]}

{CCMP[Fza(1 - Pvalue)] + CCMP[Fzb(1 - Pvalue)]} < {CBChmac[fza(i- pvalue)] + CBChmac[fzb(i- pvalue)]}

{CCMP[F za (1 - P value )] + CCMP[CF z (1 - P value )]}

< {CBC_HMAC[Fza(1 - Pvalue)] + CBC_HMAC[CFz(1 - Pvalue)]}

{CCMP[F za (1- P value )] + CCMP[CF z (1- P value )] + CCMP[F zb (1- P value )] }<

{CBChmac[Fza(i-Pvaiue)] + CBC_HMAC[CFz(1 - Pvalue)] + CBC_HMAC[Fzb(1 - Pvalue)]}

{CCMP[T z (1 - P value )] + CCMP[I _z (1 - P value )] + CCMP[S z (1 - P value )] } >

{CBC_HMAC[Tz(1 - Pvalue)] + CBC_HMAC[Iz(1 - Pvalue)] + CBC_HMAC[Sz(1 - Pvalue)]}

{CCMP[Iz(Pvalue)] } ^ { CBC_HMAC[Iz(Pvalue)]}

{CCMP[Iz(1 - Pvalue)] } ^ { CBC_HMAC[Iz(1 - Pvalue)]}

• 4.9.    Experimental Analysis of Outcomes and Discussions

I t is observed that the easiest and almost correct way to display the outcome is to utilize graphical symbols for representing all p _pai_Ues which are originated from the geometric tests. The total of 242 p _pai_Ues which were obtained from each test is used to propose the graphs presented in figures 9, 10, 11 and 12.

Fig. 9. Distribution of p _vata_es for CCMP [26, 54, 55].

Fig.10. Distribution of 1 - p _vaJues for CCMP [26, 54, 55].

Fig.11. Distribution of p _vatues for CBC-HMAC system [26, 54, 55].

The number of p _va i _ues for CCMP and CBC-HMAC in F_ZA, CF_Z, T_Z, I_Z, S_Z, GE Z , and F_ZB were counted for evaluating the performances. As per fig. 9 it was observed that the CCMP gave 10 p _va i _ues in F_ZB and approximately 4 p _va i _ues in F_ZA. Therefore, total number of p _va i _ues in F_ZA + F ZB + C FZ is approximately fourteen. In between it was observed that approximately 28 to 30 p _va i _ues in I Z area and approximately 228 p _va i _ues in the range of T Z , I Z , S Z , and GE Z areas.

The records of [48] showed that there are two variants of the DIEHARD geometric tool. One variant is in “C” binary and the other variant is in Fortran Language. The literature implied that the two variants compute p _va i _ues in mirror image of each other. One variant computes p _va i _ues and the other computes 1 — p _va i _ues . At this stage it is decided to compute and draw the equivalent 1 — p _va i _ues for each p _vai_ues . The diagrammatical representation of p _va i _ues and 1 - p v _a i _u es have shown their symmetric behavior.

The fig. 10 presents the distribution of 242 of 1 — p _va i _ues for CCMP. The distribution of 1 — p _va i _ues in fig. 10 is the mirror representation of fig. 9. There are four 1 — p _vai_ues in the F_ZB area. There are approximately twelve 1 — p _va i _ues in the FZA area. The total number of 1 — p _va i _ues in the I Z , and IR 3 , IR 4 , IR 5 , IR 6 rules based zones still remained unaffected.

The fig. 11 presents the allocation of p _va [ _ues for CBC-HMAC approach. With reference to fig. 11, CBCHMAC has shown 14 p _va i _ues in the F_ZBarea and 14 p _va i _ues beneath the 0.05 significance level (F_ZA area). There are approximately 55 p v _a i _u es in the ideal zone. In over all, CCMP recorded roughly 14 p _va i _ues in F_ZA + F_ZB + CF_Z zones whereas CBC-HMAC showed approximately twenty seven to twenty eight p _vai_ues in these zones. Here, golden rule is that the technique having lowest number of p _va i _ues in all types of Fall Short Zones will be considered as the best algorithm. Therefore, it can be confirmed from the p _va i _ues of F_ZA, F_ZB, and CF Z for CCMP and CBC-HMAC protocols that the PRF of CCMP is better than that of CBC-HMAC.

Fig.12. The distribution 1 — p _values for CBC-HMAC [26, 54, 55].

Table 2. The p _values and 1 — p _values based performance comparison of CCMP and CBC-HMAC [26, 54].

Zone Name	CCM/CCMP			CBC-HMAC
	Approximate Pvalues		Approximate 1 Pvalues	Approximate Pvalues		Approximate 1 Pvalues
Fza	: оз :		: os:	: о?:		: 05:
CFz	\01/		\ 06/	\рз/		\ 06/
Tz	/ 100*		/95 \	/67 *		/ 80 \
Iz	:   30		• 32 :	: 57		: 45 •
Sz	:   86		: 86 :	: 75		: 47 ■
GEz			w	*.07		*.08 /
Fzb			( 08/	{ 11 •		: ю: .....**-*■••*** * *

The fig. 12 presents the distribution of 242 of 1 — p _values for CBC-HMAC. The distribution of 1 — p _values in fig. 12 is the mirror representation of fig. 10. There are approximately ten 1 — p _values in the F ZB zone. There are approximately twelve 1 — p _values in the F_ZA fall short zone. The total number of 1 — p _values in the T_Z, I Z , S_Z, and GE Z zones for fig. 12 still remained unaffected. The comparison of p _vai_ues and 1 — p _values for CCMP and CBC-HMAC in different zones which are based on IR 1 to IR 7 can be represented by table 2.

It seems from table 2 that the performance of CBC-HMAC is better than that of CCMP if and only if ideal Zone ( I Z ) p _values and the corresponding 1-( V _values ) are taken into considerations because CCMP recorded thirty p _values in the ideal zone whereas CBC-HMAC recorded fifty seven p _values in ideal zone. Similarly, CCMP recorded thirty two 1 — p v _alue s in I Z area whereas CBC-HMAC recoded forty five 1 — p _values in the same area. But, the author suggests that considering only I z values for concluding final result will be unfair and incomplete.

Therefore, the author has constructed matrices for all fall short zones and all pass zones collectively for comparing the overall performance of CCMP and CBC-HMAC. The matrices of all fall short zones (F ZA , CF Z , F ZB ) and all pass zones (T Z , I Z , S Z , GE Z ) for CCMP and CBC-HMAC can be represented by Eq.(14), Eq.(15), Eq.(16) and Eq.(17):

		CCMP pvah	CCMP ie            1 Pvalue
	F za	03	05	()
CCMPfail    = ldll zone	CF z	01	06
	F ZB	10	08
		CCMP pvah	CCMP ie            1 Pvalue
	F za	07	05	()
HMACfail     = ldll zone	CF z	03	06
	F ZB	11	10
		CCMP pvah	CCMP ie            1 Pvalue
	T z	100	95
ССМРПЯ„	I z	30	32	(16)
P ass zone	S Z	86	86
	GE z	12	10
		CCMP pvah	CCMP ie            1 Pvalue
	T z	67	80
HMAC     =	I z	57	45	(17)
passzone	S Z	75	47
	GE z	07	08

From Eq.(14) and Eq.(15), it is observed that the computation result of matrix CCMP FZ is smaller than that of matrix HMAC FZ . It means that CCMP has smaller number of p _va i _ues and 1 — p _va iues in all fall short zones in comparison to CBC-HMAC. Similarly, it is clear from Eq. (16) and Eq. (17) that computation of matrix CCMP_pasSzone is much higher than that of HMAC _pasSzo . It means that the p _va i _ues and 1 — p _va i _ues of all pass zones for CCMP are very high in comparison to that CBC-HMAC. Hence, it can be easily concluded that CCMP has lower number of p _va i _ues and 1 — P v _a i _u es in all fall short zones in comparison to CBC-HMAC whereas CCMP has higher number of p _va i _ues and 1 — P v _a i _u es in all pass zones in comparison to that CBC-HMAC.

The mean and standard deviation of p _va i _ues and 1 — p _vai_ues for all fall short zones and all pass zones can also help in comparing the performance of CCMP and CBC-HMAC techniques. Here, following finishing rules (FRs) will be used to compare the performance:

FR 1 : The technique having highest value of average mean and lowest value of average standard deviation for all pass zones will be considered as the best technique.

FR 2 : The technique having lowest value of average mean and highest value of average standard deviation for all fall short zones will be considered as the best technique.

The values of mean and standard deviation for fall short zones and pass zones can be calculated using formulae of Eq.(18), Eq.(19), Eq.(20), Eq.(21) and Eq.(22).

[(CCMpP ^values + CCMpPv ^alues + CCMpP ^values )+ (CCMp1-p ^values + CCMP1- ^Pvalues + CCMp1-p ^values )]

[(     FZA CFZ FzB FzA CFZ FZB

{Mean of HMACfpvalues and 1 pvalues } = I                    failzonesJ

[(HMACpvalues+ HMACpvalues + HMACpvalues)+ (HMAC1-Pvalues+ HMAC1-Pvalues + HMAC1-Pvalues)] [(      FZA_____________CFZ_____________FZB    ) (      FZA_______________CFZ________________FZB

{Mean of CCMPPvalues and 1 pvalues } = V                passzonesJ

[(CCMpP ^values + CCMpP ^values + CCMpP ^values + CCMpPv ^alues )+ (CCMP1 ^-Pvalues + CCMP1 ^-Pvalues + CCMp1- ^Pvalues )]

TZ______________IZ_______________sz______________GEz    7 v      TZ________________IZ_________________GEz

{Mean of HMACpvalues and 1 Pvalues } = V                 passzonesJ

[(HMAcP ^values + HMAcP ^values + HMAcP ^values + HMAcPv ^alues )+ (HMAc1- ^Pvalues + HMAc1- ^Pvalues + HMAc1- ^Pvalues )]

¹       TZ ______________ Iz _______________ ^S Z ______________ ^GE Z              TZ _________________ Iz __________________ ^GE Z

/ l ₁ ^N ₌ 1 (x i —x)

N N—1

{Standard Deviation of CCMP and HMAC }

The calculated values of mean and standard deviations for different fall short zones and pass zones of CCMP and HMAC using Eq.(18), Eq.(19), Eq.(20), Eq.(21) and Eq.(22) for fig. 9, fig. 10, fig, 11, and fig. 12 are presented in table 3. Therefore, the data sources of table 3 are the computed values of mean and standard deviations of p _va i _ues and 1 — p v _a i _u es obtained for different fall short zones and pass zones of CCMP and HMAC using Eq.(18), Eq.(19), Eq.(20), Eq.(21), and Eq.(22) for fig. 9, fig. 10, fig, 11, and fig. 12.

After comparing mean and standard deviation of all pass and fall short zones using table 3 and Eq.(18) to Eq.(22) following observations were recorded:

Observation 1: The CCMP technique has significantly lower number of Mean,, , and Mean,-,, , in all fail l          c         j                              pvaiues             1 Pvaiues zones inclusively in comparison to that of CBC-HMAC.

Observation 2: The CCMP technique has considerably higher number of Mean, , and Mean , in all

1                                                       pvaiues             1 pvaiues pass zones in comparison to that of CBC-HMAC.

Observation 3: The average of standard deviations for p _pai_ues and 1 — p _va i _ues of CCMP technique in all fail zones inclusively is much higher than that of CBC-HMAC.

Observation 4: The average of standard deviations for p _va i _ues and 1 — p _va i _ues of CCMP technique in all pass zones inclusively is appreciably smaller than that of CBC-HMAC.

Therefore, on the basis of finishing rules ( FR 1 to FR 2 ), Null Assumption , Alternate Assumption , Observation 1 , Observation 2 , Observation 3 , and Observation 4 it is clearly proved that encoding and decoding performance of CCMP is a far better than CBC-HMAC.

Table 3. Computation results of mean and standard deviations for CCMP and HMAC techniques

CCMP„_ass HMAC_pass CCMP_fnl, HMAC_fai, P^^zones             P^Ubbzones            / ^M**zones              J ^ut*zones

Mean of PValues	57.00	51.50	4.66	7.00
Mean of 1 - Pvaiues	55.75	45.00	6.33	7.00
Average of Mean for Pvaiues and 1 - Pvaiues
	/*5638 X(High)	48.25\ (Low).*'	****5.50 ‘•.(Low)	7.00*. (HigJO*
Standard Deviation of Pvaiues	43.71	30.52	4.73	4.00
Standard Deviation of 1 P values	702.50	866.29	2.54	2.69
Average of standard deviation for Pvaiues and 1- Pvaiues
	••373.11 ’..(Low)	448.41*. (High)."	..**3,64 •..(High)	ззб*.. (Low) .*

In cloud computing and Internet of Things (IoT) related communication systems the end users communicate with each other by sending and receiving messages. These messages are transmitted in encoded format and before displaying data the receivers system decodes it. Therefore, the decoded data is always displayed on the screen. In this research work the author has proved on the basis of mean and standard deviations of p _va i _ues and 1 — p _va iues in different zones that CCMP is a far superior PRF than that of CBC-HMAC. Hence, on the basis of these comparisons and detailed analysis of results the author recommends that the use of CCMP based communication systems will be advantageous, speedy, efficient and secure for sending and receiving messages through internets of things (IoT) and other cloud computing systems [55] [56].

5.    Conclusions

In order to conduct statistical and geometric study of CCMP and CBC-HMAC, the NIST test tool [40] and DIEHARD geometric study instruments [48] were tolerably examined and an knowledgeable choice was decided to apply DIEHARD because of its straightforwardness, exactness of outcome, and capacity to route huge files without using towering computing influence. The accurate geometric analysis was conducted on the basis of inference rule ( IR 1 to IR 7 ), Null Assumption, Alternate Assumption, and finishing rules ( FR 1 to FR 4 ) for computing average mean and standard deviations of p _va i _ues and 1 — p _va i _ue s for all fall short and pass zones.

The investigations of this research work shows that CCMP is efficient enough in the ensuing zones like problem of parameterization, effectiveness, and protection measures. The proposed CCMP based representations is able to handle robustness situations and cases accurately and efficiently. The proposed analysis provides us very clear evidences that the PRF of CCMP is a superior and secure in contrast to that of CBC-HMAC. Hence, the author proposes in this research work that CCMP based communication techniques should be preferred in all internets of things (IoT) and cloud computing related communication systems in order to further improve the accuracy, efficiency, security and reliability of cloud-IoT integrated distributive computing system. The author observed that the PRF of CCMP is better than CBC-HMAC. The performance of CCMP based systems can be further enhanced in future by accumulating random encoding and decoding capabilities in the cloud-IoT enabled distributive computing systems.