The advancement in internet technology allowed the development in a set of internet services that helped both individuals and enterprises do information management and exchange faster with more reliability. One of these services is cloud computing, which is a concept that relates to a set of internet services that allows its users to do tasks from anywhere they reside with a secured connection provided by a third party that offers the cloud service[1]. This type of service makes users able to run their applications, from different platforms, faster, makes managing data easier, and decreases the amount of maintenance required for their connected hardware [2].

Cloud computing as a concept goes way back to the 1960’s with the development of mainframe computers and the wide spread of the internet, but due to the high cost of mainframes, it wasn’t adopted widely. But by the 1990’s, telecommunication companies and Internet Service Providers (ISP’s) offered “virtual private networks” [3] to their users by providing shared access to the same hardware and some Internet services infrastructure. Figure 1 shows the general architecture of a cloud computing-based system [4].

Figure 1: Cloud Computing System General Architecture [5]

As mentioned earlier, a cloud computer system aims at connecting different devices with different platforms to facilitate communication. The figure above shows how different applications are unified in the cloud system so that any device with any platform can have wireless access to these applications [6]. This shared access put security concerns to the façade of adopting and using this new service, yet, the development of security measures and the advancement of computer hardware that allowed encryption with big encryption keys (>512 bits) lessened some of these concerns [7]. Security procedures that are adopted by Cloud Service Providers (CSP) are transparent to users, yet the large numbers of users from different environments and various technological backgrounds aggravated security concerns [8]. Even though mutual authentication of users is done by the CSPs’, some users might have concerns about other users making them hesitant to adopt the cloud technology.

These concerns provided research material to information technology and data security researchers. The authors in [9] surveyed the challenges of cloud computing, especially the security-related ones along with examples of security issues that some CSPs face, yet no solutions were provided to those challenges. Some Researchers who made attempts towards addressing security issues on cloud computing services focused on the encryption of data stored on the cloud, like [10] who enhanced the commonly used AES (Advanced Encryption Standard) encryption algorithm to enhance the security of data stored on the cloud to assure data confidentiality and the research in [4] made enhancements to that research and tested the encryption technique for validity against several attacks: variety square attack, key attack, key recovery attack, and differential attack.

AES algorithm was adopted in different research for its simplicity of the encryption/decryption processes that rely on iterative operations that deploy substitution and permutation of data input (text to cipher). The researchers in [11] adopted AES to encrypt data in a multi-cloud environment along with file splitting to secure data, where, after the data is encrypted, it is split into a series of connected parts and distributed over several clouds to enhance the security and minimize hacking attempts danger. This architecture might be effective with small files, but not as much if the files get bigger, along with computational concerns to reassemble the file when downloaded from the cloud. Comparing different symmetric key encryption techniques in the study in [12] proved that, from the cloud computing applications perspective, AES encryption is preferred since it consumes less time to encrypt/decrypt a text compared to RSA and DES algorithms [13],[11].

Remote data integrity checking (RDIC) refers to the ability of a remote server to verify that the user who’s using the server to store data is the legitimate owner of that data and is the only one who should gain access to it [14]. Amongst the top ten risks the Open Web Application Security Project identified [15] six are related to identity validation. The risks are (the ones related to authentication are in boldface)[16]:

• Injection 
• Broken Authentication 
• Sensitive Data Exposure 
• XML External Entities (XXE)
• Broken Access Control 
• Security Misconfiguration 
• Cross-Site Scripting (XSS)
• Insecure Deserialization 
• Using Components with Known Vulnerabilities 
• Insufficient Logging & Monitoring

This shows the importance of getting an efficient security procedure that takes user authentication into account in addition to encrypting the data and stay efficient in terms of processing time and availability.

2. User Authentication in Cloud Computing

• Problem statement: 

Most clients are connected to could servers through internet applications that require user authentication (using a username and a password). These credentials are saved as cookies on clients’ connected devices to facilitate access time over time without requiring the users to re-enter their credentials. If this cookie file gets stolen somehow, then the user’s data is in danger of getting stolen which raises a security alert.

• Proposed solution: 

The proposed solution consists of a small program that is installed on the cloud’s server and another piece of the program on the client’sdevice. When the user wants to get access to the cloud’s server, the cloud server automatically generates public and private keys using the RSA algorithm and sends the public key to the client program, which, in return will read the computer MAC address and encrypt it using public key, then send it again to cloud server, which will decrypt the MAC address and add a table record of this MAC address and session number. Then, it will generate a random number and assign it in the same row of the record, creating a look-up table for MAC addresses, after that, it will take the random number and add it to the cookie that will be sent to a client computer.

2.1 Client-Side Connection

When the client wants to access the database on a cloud server using cookie authentication, the client’s computer will use a cookie file that contains the client computer’sMAC address; on the server’s side; and before authenticating the user, the server sends a request to the client side’s program asking it to check MAC address of client computer and send it (RSA encrypted) and appends the active session’s ID. if the MAC address is the same as the one on cookies and the computer trying to access the server via the same session ID, access is granted, otherwise, authentication fails [17].

When a hacker steals a cookie, the cookie will contain a number that represents the MAC address of the legitimate user’s device, but when the hacker tries to connect to the cloud’s server database, the client program will not respond with the same MAC address and thus authentication fails[18]. All of these processes are done automatically, advanced users can configure the size of the encryption (128, 256, or 512) bit, and it automatically detects the devices’ MAC address.

2.2 Cookie Generation

When a user opens a session to connect to his/her account on the cloud by entering the given username and password, the server automatically generates a public key using the RSA ciphering algorithm. This key is sent to the client and used by the installed program to encrypt the client’s device MAC address and send it back (encrypted) to the server, where it gets decrypted using the private RSA key generated at the beginning of the session [19]. 

By then, the server generates a record for this user’s session in its database of clients that contains the client’s MAC address, and ID of the current session along with a random number that the server generates to be used later for authentication. This random number is sent to the client’s program inside the cookie file [20]. The flowchart in Figure 2 shows the process of generating a valid cookie at the server when a user requests access.

Figure 2: How cookie is generated from correct password authentication on the server’s side

2.3 Server Side Authentication

When a new session is open between the user and the cloud server, the server requests the stored cookie to send the current device’s MAC address, and builds the new session’s ID, then encrypts them into a single file with the public key that is sent from the server at the authentication (with the username and password) stage. At the server’s side; the program decrypts the received file and compares the received MAC address with the one that was previously stored in the database of clients. If both values match, then the authentication is a success and the user is granted access to the data stored on the cloud, otherwise, access is denied.  In the flowchart in Figure 3; the user’s validation process is initialized by the client’s authentication with the cookie’s procedure starts, if the cloud’s server can successfully read the cookie file, it sends a request to get the device’s MAC address and encapsulated it with the cookie file encrypted using RSA. If the received MAC address matches the one stored in the cloud’s server, authentication is granted.

Figure 3: Server checking for cookie authentication in coordination with the client program

3. Testing the System and Results 

The system was tested under a Linux kali environment, for two PC’s using the same website in order to see how efficient the system is. 

Several cookie hijack attempts were done to test how strong the proposed system is, where the hacker owns a Kali PC that is equipped with Ettercap, Hamster, and Ferret tools for the cookie hijacking process. Figure 4 shows a screenshot from the hacker’s computer trying to steal the cookie file.

Figure 4: Ferret tool while targeting PC connection on the hacker’s PC

The hacker who was testing this system made several attempts to steal the cookie file with the system installed and without it. The table below shows the time required to hijack the cookie file with different settings.

Table 1: cookie hijack attempts time under different settings

The Cookie Hijack time is the time needed for the hacker to hijack cookies through a specific website while connected to the same network as the client’s device. Direct authentication is when the hacker is trying to use the hijacked cookie directly by inserting it into cookies local folder in the client’s device and then simply trying to get access to the website. This method works directly when cookies are not encrypted.

Indirect authentication: If the cookie connection is encrypted, it will be useless to use unless it is decrypted to retrieve the original cookie from the cipher one, as RSA encryption is hard, we used special “cheat” rainbow tables to guess the correct password and retrieve original cookie (as testing RSA encryption is not considered as part of the results). Indirect authentication time is the time required by the rainbow table to decrypt the cookie file.

This research is concerned with securing data transactions and user authorization on cloud servers. The users’ credentials and commonly stored as a cookie file on the user’s device to facilitate easy and fast login to the cloud server. Some hackers could gain access to this cookie file and when they do so they could get unauthorized access to the data stored on the cloud. So the system developed in this research employed encrypting user verification data with the user’s device MAC address using the RSA algorithm, so that authentication could be done over two stages: on the client’s device and the server.

Testing the system proved that the hacker couldn’t get access to the cloud’s server even if he/she was able to hijack the cookie file, and even if authentication was done through the same web server as the cloud. The program is very small in size and works without prompting the user for any input unless the user chooses to change the encryption key size (for advanced users). 

The authors declare that they have no conflict of interest

No funding sources

The study was approved by the Tikrit University, Tikrit, Iraq.

1. Kanoosh et al., "Enhance Penetration Testing Techniques to Improve Cybersecurity with NetLogo, Nmap, and Wireshark," Journal of Natural and Applied Sciences Ural, 2.1 (2024): 100-122, https://doi.org/10.59799/APPP6605.

2. Pancholi and Patel, "Enhancement of Cloud Computing Security with Secure Data Storage Using AES," International Journal for Innovative Research in Science and Technology, 2.9 (2016): 18-21.

3. IBM, “A Brief History of Cloud Computing,” IBM Blog, 18 Mar. 2014, www.ibm.com/blogs/cloud-computing/2014/03/18/a-brief-history-of-cloud-computing-3/. Accessed 29 June 2018.

4. Harmening, "Virtual Private Networks," Computer and Information Security Handbook, 2.1 (2025): 979-992, https://doi.org/10.1016/B978-0-443-13223-0.00059-X.

5. Bansal and Agrawal, "Providing Security, Integrity and Authentication Using ECC Algorithm in Cloud Storage," Computer Communication and Informatics (ICCCI), Jan. 2017: 1-5.

6. Alam, "Cloud Computing and Its Role in Information Technology," IAIC Transactions on Sustainable Digital Innovation (ITSDI), 2.1 (2025), https://pandawan.aptisi.or.id/index.php/att/article/view/59. Accessed 4 Feb. 2025.

7. Bempah et al., "A Modified AES-512 Bits Algorithm for Data Encryption," European Journal of Pure and Applied Mathematics, 17.2 (2024): 979-995, https://doi.org/10.29020/nybg.ejpam.v17i2.5114.

8. Alam, "Cloud Computing and Its Role in Information Technology," IAIC Transactions on Sustainable Digital Innovation (ITSDI), 2.1 (2025), https://pandawan.aptisi.or.id/index.php/att/article/view/59. Accessed 4 Feb. 2025.

9. Bempah et al., "A Modified AES-512 Bits Algorithm for Data Encryption," European Journal of Pure and Applied Mathematics, 17.2 (2024): 979-995, https://doi.org/10.29020/nybg.ejpam.v17i2.5114.

10. Latif et al., "Cloud Computing Risk Assessment: A Systematic Literature Review," Future Information Technology, 1.1 (2014): 285-295.

11. Rong et al., "Beyond Lightning: A Survey on Security Challenges in Cloud Computing," Computers & Electrical Engineering, 39.1 (2013): 47-54.

12. Sachdev and Bhansali, "Enhancing Cloud Computing Security Using AES Algorithm," International Journal of Computer Applications, 67.9 (2013).

13. Abbas et al., "Recent Trends of Smart Home Automation System," 2019, https://www.researchgate.net/publication/350580561.

14. Al-Qaysi et al., "Dynamic Decision-Making Framework for Benchmarking Brain–Computer Interface Applications," Neural Computing and Applications, 36.17 (2024): 10355-10378.

15. Arora et al., "Secure User Data in Cloud Computing Using Encryption Algorithms," International Journal of Engineering Research and Applications, 3.4 (2013): 1922-1926.

16. Yu et al., "Identity-Based Remote Data Integrity Checking with Perfect Data Privacy Preserving for Cloud Storage," IEEE Transactions on Information Forensics and Security, 12.4 (2017): 767-778.

17. OWASP, “OWASP Top 10-2017: The Ten Most Critical Web Application Security Risks,” OWASP, https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf. Accessed 29 June 2018.

18. Ahmed et al., "An Intelligent Attendance System Based on Convolutional Neural Networks for Real-Time Student Face Identifications," Journal of Engineering Science and Technology, 17.5 (2022): 3326-3341.

19. Balen et al., "Comparative Performance Evaluation of Popular Virtual Private Servers," Journal of Internet Technology, 21.2 (2020): 343-356, https://doi.org/10.3966/160792642020032102003.

20. Kondala and Patibandla, "Design and Create VPC in AWS," 2024, https://ojs.boulibrary.com/index.php/JAIGS.