SYNOPSIS

OBJECTIVE

Because it delivers services via an open network, it is critical that service providers
adopt secure data storage and sharing mechanisms to protect data confidentiality
and user privacy. Encryption is the most extensively used approach for protecting
sensitive data against compromise. However, just encrypting data (e.g., using AES)
does not entirely meet the actual necessity for data management. Furthermore,
effective access control over download requests must be addressed so that
Economic Denial of Service (EDoS) assaults do not disrupt users' ability to utilize
the service. In this research, we investigate the dual access control in the context of
cloud-based storage, in which we build a control mechanism over both data access
and download requests without loss. In our suggested methods, outsourced data is
encrypted before being uploaded to the cloud. Nobody can access them unless they
have proper access credentials. Given outsourced data, the cloud server cannot
identify the data owner, ensuring the owner's privacy throughout data storage and
dissemination.After uploading encrypted data to the cloud, the data owner
maintains control over it through access policies. In particular, a data owner can
encrypt his outsourced data using a set access policy, allowing only a group of
approved data users that match the access policy to access the data. A cloud server
may regulate the download request made by any system user, which can be set to
be anonymous.
ABSTRACT
Cloud-based data storage service has drawn increasing interests from both
academic and industry in the recent years due to its efficient and low cost
management. Since it provides services in an open network, it is urgent for service
providers to make use of secure data storage and sharing mechanism to ensure data
confidentiality and service user privacy. To protect sensitive data from being
compromised, the most widely used method is encryption. However, simply
encrypting data (e.g., via AES) cannot fully address the practical need of data
management. Besides, an effective access control over download request also
needs to be considered so that Economic Denial of Sustainability (EDoS) attacks
cannot be launched to hinder users from enjoying service. In this paper, we
consider the dual access control, in the context of cloud-based storage, in the sense
that we design a control mechanism over both data access and download request
without loss of security and efficiency. Two dual access control systems are
designed in this paper, where each of them is for a distinctly designed setting. The
security and experimental analysis for the systems are also presented.
MODULES
Data owner:

Data owner holds the data and wants to outsource his data to the cloud. In
particular, data owners only want to share their data with those who satisfy certain
conditions (e.g., student, professors or principal). They will be offline once their
data have been uploaded to the cloud.
Data User:
Data user wants to download and decrypt the encrypted data shared in the cloud.
Those who are authorized can download the encrypted file and further decrypt it to
access the plaintext.
Authority:
Authority is responsible for initializing system parameters and data user
registration. Also, it handles the call request from the cloud in the first
proposed construction.
Cloud Server:
Cloud provides convenient storage service for data owners and data users.
Specifically, it stores the outsourced data from data users and handles the
download requests sent by data .
SYSTEM REQUIREMENTS:

HARDWARE REQUIREMENTS:

 System : Pentium i3 Processor

 Hard Disk : 500 GB.
 Monitor : 15’’ LED
 Input Devices : Keyboard, Mouse
 Ram : 4 GB

SOFTWARE REQUIREMENTS:

 Operating system : Windows 10.

 Coding Language : JAVA.
 Tool : Apache NetbeansIDE 16
 Database : MYSQL
CONCLUSION
We explored an intriguing and long-standing issue in cloud-based data sharing and
demonstrated two dual access control methods. The proposed systems can
withstand DDoS/EDoS attacks. We claim that the approach utilized to establish
control over download requests is "transplantable" to various CP-ABE designs.
Our experimental results reveal that the suggested systems have no substantial
computational or communication overhead (relative to the underlying CP-ABE
building block).
In our improved approach, we use the fact that the private information stored in the
enclave cannot be recovered. However, new research indicates that an enclave may
leak some of its secret(s) to a hostile host via memory access patterns or other side-
channel assaults.
CHAPTER 1

INTRODUCTION

1.1 PROJEECT OVERVIEW

I N the recent decades, cloud-based storage service has attracted considerable

attention from both academia and industries. It may be widely used in many
Internet-based commercial applications (e.g., Apple iCould) due to its long-list
benefits including access flexibility and free of local data management. Increasing
number of individuals and companies nowadays prefer to outsource their data to
remote cloud in such a way that they may reduce the cost of upgrading their local
data management facilities/devices. However, the worry of security breach over
outsourced data may be one of the main obstacles hindering Internet users from
widely using cloud-based storage service. In many practical applications,
outsourced data may need to be further shared with others. For example, a
Dropbox user Alice may share photos with her friends. Without using data
encryption, prior to sharing the photos, Alice needs to generate a sharing link and
further share the link with friends. Although guaranteeing some level of access
control over unauthorized users (e.g., those are not Alice’s friends), the sharing
link may be visible within the Dropbox administration level (e.g., administrator
could reach the link). Since the cloud (which is deployed in an open network) is
not be fully trusted, it is generally recommended to encrypt the data prior to being
uploaded to the cloud to ensure data security and privacy. One of the
corresponding solutions is to directly employ an encryption technique (e.g., AES)
on the outsourced data before uploading to cloud, so that only specified cloud user
(with valid decryption key) can gain access to the data via valid decryption.

1.2 PROBLEM DESCRIPTION

The fear of a security breach using outsourced data may be one of the primary
barriers preventing Internet users from broadly embracing cloud-based storage.
Aside from economic loss, unrestricted downloads may allow network attackers to
monitor encrypted download data, potentially resulting in information leakage (for
example, file size).
In the current approach, the data owner must produce a series of challenge
ciphertexts in order to withstand the assault, which increases the computing cost.
Second, as a test, a data user must decrypt one of the challenge ciphertexts, which
requires a number of costly operations (for example, pairing).
Both parties' computational complexity will necessarily rise, therefore significant
network bandwidth is necessary for the

1.3 OBJECTIVES

Secure Data Storage:

Develop mechanisms for secure data storage in cloud-based environments to

protect sensitive information from unauthorized access and data breaches.

Data Sharing Mechanisms:

Implement secure data sharing mechanisms that ensure data confidentiality and
user privacy while facilitating collaboration and information exchange among
authorized users.
Access Control:

Design and implement effective access control mechanisms to regulate data access
and download requests, preventing unauthorized access attempts and potential
Economic Denial of Sustainability (EDoS) attacks.

Efficiency:

Balance security measures with system efficiency to ensure that data management
processes are not overly burdensome or restrictive for users, while still maintaining
a high level of data security.

Dual Access Control:

Develop dual access control systems that cover both data access and download
request control, providing comprehensive security measures without compromising
system performance or usability.

Security Analysis:

Conduct thorough security analyses to assess the effectiveness of the designed

access control mechanisms in preventing unauthorized access, data leakage, and
potential security threats.

Experimental Validation:

Perform experimental evaluations to validate the security, performance, and

scalability of the developed access control systems in real-world cloud-based
storage environments, providing empirical evidence of their effectiveness and
reliability.
CHAPTER 2

LITERATURE SURVEY

2.1 EXISTING SYSTEM:

Antonis Michalas proposed a data sharing protocol that combines symmetric searchable
encryption and ABE, which allows users to directly search over encrypted data. To
implement the functionality of key revocation in ABE, the protocol utilizes SGX to host a
revocation authority.
Bakas and Michalas later extended the protocol and proposed a hybrid encryption scheme
that reduces the problem of multi-user data sharing to that of a single-user. In particular,
the symmetric key used for data encryption is stored in an SGX enclave, which is
encrypted with an ABE scheme. It deals with the revocation problem in the context of
ABE by employing the SGX enclave.

DISADVANTAGES OF EXISTING SYSTEM:

The worry of security breach over outsourced data may be one of the main obstacles
hindering Internet users from widely using cloud-based storage service.
Apart from economic loss, unlimited download itself could open a window for network
attackers to observe the encrypted download data that may lead to some potential
information leakage (e.g., file size).
In the existing system the data owner is required to generate a set of challenge ciphertexts
in order to resist the attack, which enhances its computational burden. Second, a data user
is required to decrypt one of the challenge ciphertexts as a test, which costs a plenty of
expensive operations (e.g., pairing).
The computational complexity of both parties is inevitably increased and meanwhile,
high network bandwidth is required for the delivery of ciphertexts. The considerable
computational power of cloud is not fully considered

2.2 PROPOSED SYSTEM:

 In this project, we propose a new mechanism, dubbed dual access control, to tackle the
existing system problem. To guarantee the confidentiality of outsourced data without loss
of policy based access control, we start with a CP-ABE system, which is seen as one of
the building blocks. We further employ an effective control over data users’ download
request on the top of the CP-ABE system. We design a new approach to avoid using the
technique of “testing” ciphertext. Specifically, we allow data user to generate a download
request. Upon receiving the download request
SGX, a cloud server is able to check if the data user is authorized to gain access to the
data. No other information is revealed to the cloud server except the knowledge of
whether the user is authorized. Based on the above mechanism, the cloud maintains the
control of the download request.
In our proposed systems, the outsourced data is encrypted prior to being uploaded to
cloud. No one can access them without valid access rights. Given an outsourced data,
cloud server cannot identify data owner, so that the anonymity of owner can be
guaranteed in data storage and sharing.Data owner keeps controlling his encrypted data
via access policy after uploading the data to cloud. In particular, a data owner can encrypt
his outsourced data under a specified access policy such that only a group of authorized
data users, matching the access policy, can access the data. A cloud server is able to
control the download request issued by any system user, where the download request can
set to be anonymous. With the control over download request, we state that our systems
are resistant to EDoS attacks.

ADVANTAGES OF PROPOSED SYSTEM:

Confidentiality of outsourced data

Anonymity of data sharing
Fine-grained access control over outsourced (encrypted) data
Control over anonymous download request and EDoS attacks resistance
 High efficiency
2.3 APPLICATIONS

Enterprise Data Management:

Implement the dual access control mechanisms in enterprise cloud storage systems
to ensure secure data storage, sharing, and access control for sensitive corporate
information, intellectual property, and confidential documents.

Healthcare Information Systems:

Apply the dual access control systems in healthcare IT environments to safeguard

patient health records, medical imaging data, and other sensitive healthcare
information, ensuring compliance with regulatory standards such as HIPAA.
Financial Services:

Utilize the dual access control mechanisms in financial institutions for secure
storage and sharing of financial data, transaction records, customer information,
and sensitive business documents, protecting against unauthorized access and data
breaches.

Government Agencies:

Deploy the dual access control systems in government agencies and public sector
organizations to protect classified information, national security data, and
government documents stored in cloud-based repositories, ensuring data
confidentiality and integrity.

Academic and Research Data:

Implement the dual access control mechanisms in academic institutions and
research organizations to secure research data, scientific publications, and
intellectual property stored in cloud environments, enabling collaboration while
protecting sensitive research findings.

Legal and Law Enforcement:

Apply the dual access control mechanisms in legal firms, law enforcement
agencies, and judiciary systems for secure storage and sharing of legal documents,
case files, evidence, and sensitive legal information, ensuring data privacy and
integrity.

Media and Entertainment:

Utilize the dual access control mechanisms in media and entertainment industries
for secure storage and distribution of digital content, multimedia assets, copyright-
protected materials, and sensitive production data, protecting against piracy and
unauthorized access.

Supply Chain and Logistics:

Deploy the dual access control mechanisms in supply chain management systems
to secure supply chain data, trade secrets, supplier information, and logistics
records stored in cloud-based platforms, ensuring data confidentiality and supply
chain integrity.
CHAPTER 3

METHODOLOGY

3.1 TECHNOLOGY AND STACK SELECTION

Cloud computing is the use of computing resources (hardware and software) that
are delivered as a service over a network (typically the Internet). The name comes
from the common use of a cloud-shaped symbol as an abstraction for the complex
infrastructure it contains in system diagrams. Cloud computing entrusts remote
services with a user's data, software and computation. Cloud computing consists of
hardware and software resources made available on the Internet as managed third-
party services. These services typically provide access to advanced software
applications and high-end networks of server computers.

Structure of cloud computing

How Cloud Computing Works?

The goal of cloud computing is to apply traditional supercomputing, or high-
performance computing power, normally used by military and research facilities,
to perform tens of trillions of computations per second, in consumer-oriented
applications such as financial portfolios, to deliver personalized information, to
provide data storage or to power large, immersive computer games.
The cloud computing uses networks of large groups of servers typically running
low-cost consumer PC technology with specialized connections to spread data-
processing chores across them. This shared IT infrastructure contains large pools
of systems that are linked together. Often, virtualization techniques are used to
maximize the power of cloud computing.

Characteristics and Services Models:

The salient characteristics of cloud computing based on the definitions

provided by the National Institute of Standards and Terminology (NIST) are
outlined below:

 On-demand self-service: A consumer can unilaterally provision computing

capabilities, such as server time and network storage, as needed
automatically without requiring human interaction with each service’s
provider.
 Broad network access: Capabilities are available over the network and
accessed through standard mechanisms that promote use by heterogeneous
thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
 Resource pooling: The provider’s computing resources are pooled to serve
multiple consumers using a multi-tenant model, with different physical and
virtual resources dynamically assigned and reassigned according to
consumer demand. There is a sense of location-independence in that the
 customer generally has no control or knowledge over the exact location of
the provided resources but may be able to specify location at a higher level
of abstraction (e.g., country, state, or data center). Examples of resources
include storage, processing, memory, network bandwidth, and virtual
machines.
 Rapid elasticity: Capabilities can be rapidly and elastically provisioned, in
some cases automatically, to quickly scale out and rapidly released to
quickly scale in. To the consumer, the capabilities available for provisioning
often appear to be unlimited and can be purchased in any quantity at any
time.
 Measured service: Cloud systems automatically control and optimize
resource use by leveraging a metering capability at some level of abstraction
appropriate to the type of service (e.g., storage, processing, bandwidth, and
active user accounts). Resource usage can be managed, controlled, and
reported providing transparency for both the provider and consumer of the
utilized service.

Characteristics of cloud computing

Services Models:

Cloud Computing comprises three different service models, namely

Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-
a-Service (SaaS). The three service models or layer are completed by an end user
layer that encapsulates the end user perspective on cloud services. The model is
shown in figure below. If a cloud user accesses services on the infrastructure layer,
for instance, she can run her own applications on the resources of a cloud
infrastructure and remain responsible for the support, maintenance, and security of
these applications herself. If she accesses a service on the application layer, these
tasks are normally taken care of by the cloud service provider.

Structure of service models

Benefits of cloud computing:

 1. Achieve economies of scale – increase volume output or productivity with
fewer people. Your cost per unit, project or product plummets.
2. Reduce spending on technology infrastructure. Maintain easy access to
your information with minimal upfront spending. Pay as you go (weekly,
quarterly or yearly), based on demand.
3. Globalize your workforce on the cheap. People worldwide can access the
cloud, provided they have an Internet connection.
4. Streamline processes. Get more work done in less time with less people.
5. Reduce capital costs. There’s no need to spend big money on hardware,
software or licensing fees.
6. Improve accessibility. You have access anytime, anywhere, making your
life so much easier!
7. Monitor projects more effectively. Stay within budget and ahead of
completion cycle times.
8. Less personnel training is needed. It takes fewer people to do more work
on a cloud, with a minimal learning curve on hardware and software issues.
9. Minimize licensing new software. Stretch and grow without the need to
buy expensive software licenses or programs.
10.Improve flexibility. You can change direction without serious “people” or
“financial” issues at stake.

Advantages:

1. Price:Pay for only the resources used.

2. Security: Cloud instances are isolated in the network from other instances
for improved security.
3. Performance: Instances can be added instantly for improved performance.
Clients have access to the total resources of the Cloud’s core hardware.
4. Scalability: Auto-deploy cloud instances when needed.
5. Uptime: Uses multiple servers for maximum redundancies. In case of server
failure, instances can be automatically created on another server.
6. Control: Able to login from any location. Server snapshot and a software
library lets you deploy custom instances.
7. Traffic: Deals with spike in traffic with quick deployment of additional
instances to handle the load.
3.2 ARCHITECTURE

3.3 DEVELOPMENT

Algorithm Design:

Develop algorithms for generating search tokens, encrypting data files, and
performing secure keyword searches while ensuring forward security to prevent
information leakage.

Encryption Techniques:

Implement encryption techniques, such as AES (Advanced Encryption Standard),

to secure data stored in cloud-based environments, ensuring data confidentiality
and protection against unauthorized access.
Access Control Policies:

Design access control policies and mechanisms to regulate user permissions,

authentication, and authorization, ensuring that only authorized users can access
and download data based on predefined criteria and roles.

Secure Communication Protocols:

Implement secure communication protocols, such as TLS/SSL, to encrypt data

transmission between clients and cloud servers, preventing eavesdropping and data
interception attacks.

Audit and Logging:

Develop audit and logging mechanisms to track access and download activities,
monitor data usage patterns, and detect suspicious or unauthorized access attempts,
facilitating forensic analysis and compliance auditing.

User Interface Design:

Design user-friendly interfaces for administrators and end-users to manage access

control settings, view audit logs, configure security policies, and monitor data
access and download activities.

Integration with Cloud Platforms:

Ensure seamless integration of the dual access control mechanisms with popular
cloud storage platforms and services, enabling easy deployment, configuration, and
management for cloud users and organizations.

Security Testing:
Conduct thorough security testing, including penetration testing, vulnerability
assessments, and security audits, to identify and mitigate potential security
vulnerabilities, ensure system resilience against attacks, and validate the
effectiveness of security measures.

Performance Optimization:

Optimize the performance of the dual access control mechanisms in terms of

encryption/decryption speed, access latency, resource utilization, and scalability to
ensure optimal system performance and responsiveness under varying workload
conditions.

Documentation and Training:

Document the development process, including algorithm specifications,

implementation details, security configurations, and deployment procedures.
Provide training and educational materials for system administrators and users to
ensure proper understanding and utilization of the dual access control mechanisms.
CHAPTER 4

CONCLUSION

We addressed an interesting and long-lasting problem in cloud-based data sharing,

and presented two dual access control systems. The proposed systems are resistant
to DDoS/EDoS attacks. We state that the technique used to achieve the feature of
control on download request is “transplantable” to other CP-ABE constructions.
Our experimental results show that the proposed systems do not impose any
significant computational and communication overhead (compared to its
underlying CP-ABE building block).

In our enhanced system, we employ the fact that the secret information loaded into
the enclave cannot be extracted. However, recent work shows that enclave may
leak some amounts of its secret(s) to a malicious host through the memory access
patterns or other related side-channel attacks. The model of transparent enclave
execution is hence introduced. Constructing a dual access control system for cloud
data sharing from transparent enclave is an interesting problem. In our future work,
we will consider the corresponding solution to the problem.
 REFERENCES
[1] Joseph A Akinyele, Christina Garman, Ian Miers, Matthew W Pagano, Michael
Rushanan, Matthew Green, and Aviel D Rubin. Charm: a framework for rapidly
prototyping cryptosystems. Journal of Cryptographic Engineering, 3(2):111–128,
2013.

[2] Ittai Anati, Shay Gueron, Simon Johnson, and Vincent Scarlata. Innovative
technology for cpu based attestation and sealing. In Workshop on hardware and
architectural support for security and privacy (HASP), volume 13, page 7. ACM
New York, NY, USA, 2013.

[3] Alexandros Bakas and Antonis Michalas. Modern family: A revocable hybrid
encryption scheme based on attribute-based encryption, symmetric searchable
encryption and SGX. In SecureComm 2019, pages 472–486, 2019.

[4] Amos Beimel. Secure schemes for secret sharing and key distribution. PhD
thesis, PhD thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996.

[5] John Bethencourt, Amit Sahai, and BrentWaters. Ciphertext-policy attribute-

based encryption. In S&P 2007, pages 321–334. IEEE, 2007.

[6] Victor Costan and Srinivas Devadas. Intel sgx explained. IACR Cryptology
ePrint Archive, 2016(086):1–118, 2016.

[7] Ben Fisch, Dhinakaran Vinayagamurthy, Dan Boneh, and Sergey Gorbunov.
IRON: functional encryption using intel SGX. In Proceedings of the 2017 ACM
SIGSAC Conference on Computer and Communications Security, CCS 2017,
pages 765–782, 2017.

[8] Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric and
symmetric encryption schemes. In Advances in Cryptology-CRYPTO 1999, pages
537–554. Springer, 1999.

[9] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based
encryption for fine-grained access control of encrypted data. In ACM CCS 2006,
pages 89–98. ACM, 2006.

[10] Jinguang Han, Willy Susilo, Yi Mu, Jianying Zhou, and Man Ho Allen Au.
Improving privacy and security in decentralized ciphertext-policy attribute-based
encryption. IEEE transactions on information forensics and security, 10(3):665–
678, 2015.