Privacy Protection Based Access Control Scheme in Cloud-Based Services - 1crore Projects
Privacy Protection Based Access Control Scheme in Cloud-Based Services - 1crore Projects
Privacy Protection Based Access Control Scheme in Cloud-Based Services - 1crore Projects
Cloud-based Services
Kai Fan, Qiong Tian, Nana Yue Wang Hui Li Yintang Yang
Huang School of Information State Key Laboratory of Key Lab. of the Minist. of
State Key Laboratory of Engineering Integrated Service Networks Educ. for Wide Band-Gap
Integrated Service Networks Xi’an University Xidian University Semiconductor Materials and
Xidian University Xi’an, China Xi’an, China Devices
Xi’an, China [email protected] [email protected] Xidian University
[email protected] Xi’an, China
[email protected] [email protected]
[email protected]
Abstract—With the rapid development of the computer [4] used multi authority ABE (MA-ABE) to solve key escrow
technology, cloud-based services have become a hot topic. Cloud- issue. But the access policy is not flexible. Li et al [5]
based services not only provide users with convenience, but also presented data sharing scheme based on systemic attribute
bring many security issues. Therefore, the study of access control encryption, which endows different users’ different access
scheme to protect users' privacy in cloud environment is of great rights. But it is not efficient from the complexity and efficiency.
significance. In this paper, we present an access control system In 2014, Chen et al. [6] proposed Key-Aggregate Encryption
with privilege separation based on privacy protection (PS-ACS). algorithm, effectively shortening the length of the ciphertext
In the PS-ACS scheme, we divide the users into personal domain and the key, but only for the situation where the data owner
(PSD) and public domain (PUD) logically. In the PSD, we set
knows the user's identity. These schemes above only focus on
read and write access permissions for users respectively. The
Key-Aggregate Encryption (KAE) is exploited to implement the
one aspect of the research, and do not have a strict uniform
read access permission which improves the access efficiency. A standards either. In this paper, we present a more systematic,
high degree of patient privacy is guaranteed simultaneously by flexible and efficient access control scheme. To this end, we
exploiting an Improved Attribute-based Signature (IABS) which make the following main contributions:
can determine the users’ write access. For the users of PUD, a 1. We propose a novel access control system called PS-
hierarchical attribute-based encryption (HABE) is applied to ACS, which is privilege separation based on privacy protection.
avoid the issues of single point of failure and complicated key
The system uses Key-Aggregate Encryption (KAE) scheme
distribution. Function and performance testing result shows that
and Hierarchy Attribute-based Encryption (HABE) scheme to
the PS-ACS scheme can achieve privacy protection in cloud-
based services.
implement read access control scheme in the PSD and PUD
respectively. The KAE scheme greatly improves access
Keywords- access control; data sharing; privacy protection; efficiency and the HABE scheme largely reduces the task of a
cloud-based services single authority and protects the privacy of user data.
2. Compared with the MAH-ABE scheme which does not
I. INTRODUCTION refer to the write access control, we exploit an Improved
With the rapid development of cloud computing, big data Attribute-based Signature (IABS) [7-9] scheme to enforce
and public cloud services have been widely used. The user can write access control in the PSD. In this way, the user can pass
store his data in the cloud service. Although cloud computing the cloud server’s signature verification without disclosing the
brings great convenience to enterprises and users, the cloud identity, and successfully modify the file.
computing security has always been a major hazard. For users, 3. We provide a thorough analysis of security and
it is necessary to take full advantage of cloud storage service, complexity of our proposed PS-ACS scheme. The functionality
and also to ensure data privacy. Therefore, we need to develop and simulation results provide data security in acceptable
an effective access control solution. Since the traditional access performance impact, and prove the feasibility of the scheme.
control strategy [1] cannot effectively solve the security
problems that exist in data sharing. Data security issues
II. SYSTEM MODEL
brought by data sharing have seriously hindered the
development of cloud computing, various solutions to achieve As shown in Fig.1, our system model consists of Data
encryption and decryption of data sharing have been proposed. owner, users in PSD, and users in PUD, root authority CA,
In 2007, Bethencourt et al. [2] first proposed the ciphertext regional authority AA and cloud service provider, which are
policy attribute-based encryption (CP-ABE). However, this defined as follows.
scheme does not consider the revocation of access permissions. 1. The cloud service provider consists of two parts: data
In 2011, Hur et al. [3] put forward a fine-grained revocation storage server and data service management. Data storage
scheme but it can easily cause key escrow issue. Lewko et al.
server is responsible for storing confidential data files, and data have a close relationship with the owner and the number is
service management is in charge of controlling external users’ small, there is no need to use the CP-ABE which is applicable
access to secret data and returning the corresponding ciphertext. to the scenario which has a lot of users, and their identities are
unknown to the owner, while the KAE scheme is set for the
2. In the actual cloud environment, CA manages multiple small users with certain identities. Besides, the distribution and
AA, and AA each manages attributes in their own field. The management of keys and attributes, encryption and decryption
attributes owned by the user are issued by different authority. process of CP-ABE are much more complex compared with
3. Personal domain (PSD), in which users have special the KAE scheme. Therefore, the KAE is exploited to
privileges, such as family, personal assistant, close friends and implement the read access permission which improves the
partners. This domain has a small number of users and small access efficiency.
scale attributes, and the data owner knows the user's identity, Based on the above analysis, the paper uses the Aggregate
which is easy to manage. Key Encryption scheme to encrypt the data files to realize
4. Public domain (PUD), which owns a huge number of different read access control. The specific application process
users with unknown identity and a lot of attributes owned by of the KAE algorithm is as follows.
the user. 1. System setup and file encryption. The system first runs
5. Data Owner, based on the characteristics of users in Setup of KAE to establish the public system parameter and
public and personal domain to develop different access control master key. Each owner classified the file by its data attribute,
strategy, encrypt uploaded files using the corresponding such as “photo files”, “blog files” and “game files”. Fig.2
encryption method and then send to the cloud server. shows the way to classify the files. Choose and label the files,
˅5HTXHVWILOH
denoted by i i ^1, 2 ,..., n ` , note that a file class i cannot be
&ORXG6HUYLFH3URYLGHU ˅5HWXUQFLSKHUWH[W
˅0RGLI\ILOH the subset of another file class j j ^1, 2 ,..., n ` . Then the
˅6LJQDWXUHDQG8SORDG
WKHHQFU\SWHGILOH owner’s client application runs Encrypt of KAE using the
˅6LJQDWXUHYHULILFDWLRQ
˅8VHUVUHYRFDWLRQ public key and the number of classification file to encrypt the
'DWDILOH 'DWD
'DWDVHUYLFH
˅'HOHWHILOHV
˅$VVLJQDWWULEXWHV PHR files and sends them to the cloud.
6HUYHU ˅'LVWULEXWLRQNH\V
PDQDJHU
2. Access and key distribution. When the user send access
request to the cloud server, and his file index number is i , then
˄˅
the cloud server returns the corresponding encrypted
˄˅
˄˅ ˄˅ ˄˅ ˄˅˄˅
˄˅
classification file to the user. The owner authorized users
˄˅
.H\
access permission with the file index number denoted by j and
8VHU sent the collection S of all the index number j to CA, CA
8VHU 8VHU
generate an aggregate decryption key for a set of ciphertext
76,*
˄˅ ˄˅
8VHU
classes via Extract of KAE and sent it to the corresponding
$$
user, Finally, any user with an aggregate key can decrypt any
8VHUV
$$ ˄˅
ciphertext whose class is contained in the aggregate key via
˄˅ ˄˅
˄˅ ˄˅
Decrypt of KAE.
$$ $$
˄˅
˄˅
2ZQHU ˄˅
˄˅
˄˅
&$
3ULYDWH$UHD 3XEOLF$UHD
1
Foundation funded project (No.2013M542328), and National
0.8 111 Program of China B16037 and B08038.
0.6
REFERENCES
0.4 [1] S. Yu, C. Wang, K. Ren, “Achieving secure, scalable, and fine-grained
data access control in cloud computing,” Proc. IEEE INFOCOM, pp. 1-9,
0.2 2010.
[2] J. Bethencourt, A. Sahai, B. Waters, “Ciphertext-policy attribute-based
0 encryption,” Proc. Security and Privacy, pp. 321-334, 2007.
10 30 50 70 90 110
The number of leaf nodes [3] J. Hur, D.K. Noh, “Attribute-based access control with efficient
revocation in data outsourcing systems,” IEEE Transactions on Parallel
and Distributed Systems, vol. 22, no. 7 pp. 1214-1221, 2011.
Figure 5. The signature and authenticationtime of IABS [4] A. Lewko, B. Waters, “Decentralizing attribute-Based encryption,” Proc.
Advances in Cryptology-EUROCRYPT, pp. 568-588, 2011.
[5] M. Li, S. Yu, Y. Zheng, “Scalable and secure sharing of personal health
VI. CONCLUSIONS
records in cloud computing using attribute-Based Encryption,” IEEE
In this paper, we propose access control system (PS-ACS), Transactions on Parallel and Distributed System, vol. 24, no. 1, pp. 131-
143, 2013.
which is privilege separation based on privacy protection.
Through the analysis of cloud environment and the [6] C.K. Chu, S.S.M. Chow, W.G. Tzeng, “Key-aggregate cryptosystem for
scalable data sharing in cloud storage,” IEEE Transactions on Parallel
characteristics of the user, we divide the users into personal and Distributed Systems, vol. 25, no. 2, pp.468-477, 2014.
domain (PSD) and public domain(PUD) logically. In the PSD, [7] J. Li, K. Kim, “Hidden attribute-based signatures without anonymity
the KAE algorithm is applied to implement users read access revocation,” Information Sciences, vol. 180, no. 9, pp. 1681-1689, 2010.
permissions and greatly improved efficiency. The IABS [8] H.K. Maji, M. Prabhakaran, M. Rosulek, “Attribute-Based Signatures,”
scheme is employed to achieve the write permissions and the Proc. Topics in Cryptology - CT-RSA, pp. 376-392, 2011.
separation of read and write permissions to protect the privacy [9] S. Kumar, S. Agrawal, S. Balaraman, “Attribute based signatures for
of the user's identity. In the PUD, we use the HABE scheme to bounded multi-level threshold circuits,” Proc. Public Key Infrastructures,
avoid the issues of single point of failure and to achieve data Services and Applications, pp. 141-154, 2011.
sharing. Furthermore, the paper analyzes the scheme from
security and efficiency, and the simulation results are given. By
comparing with the MAH-ABE scheme, the proposed scheme
shows the feasibility and superiority to protect the privacy of
data in cloud-based services.