On the Security of a Lightweight Cloud Data Auditing Scheme

In cloud storage service, public auditing mechanisms allow a third party to verify integrity of the outsourced data on behalf of data users without the need to retrieve data from the cloud server. Recently, Shen et al. proposed a new lightweight and privacy preserving cloud data auditing scheme which employs a third party medium to perform time-consuming operations on behalf of users. The authors have claimed that the scheme meets the security requirements of public auditing mechanisms. In this paper, we propose two attacks against Shen et al.’s scheme. In the first attack, an active adversary who is involved in the protocol, can forge a valid authenticator on an arbitrarily modified data block. In the second attack, the dishonest cloud server arbitrarily manipulates the received data blocks, and in both attacks data manipulation is not detected by the auditor in the verification phase. Accordingly, the scheme is insecure for cloud storage auditing.