WebCloud Web-Based Cloud Storage For Secure Data Sharing Across Platforms
WebCloud Web-Based Cloud Storage For Secure Data Sharing Across Platforms
2022 1
Abstract—With more and more data moving to the cloud, privacy of user data have raised great concerns. Client-side
encryption/decryption seems to be an attractive solution to protect data security, however, the existing solutions encountered three
major challenges: low security due to encryption with low-entropy PIN, inconvenient data sharing with traditional encryption algorithms,
and poor usability with dedicated software/plugins that require certain types of terminals.
This work designs and implements WebCloud, a practical browser-side encryption solution, leveraging modern Web technologies. It
solves all the above three problems while achieves several additional remarkable features: robust and immediate user revocation, fast
data processing with offline encryption and outsourced decryption. Notably, our solution works on any device equipped with a Web
user agent, including Web browsers, mobile and PC applications. We implement WebCloud based on ownCloud for basic file
management utility, and utilize WebAssembly and Web Cryptography API for complex cryptographic operations integration. Finally,
comprehensive experiments are conducted with many well-known browsers, Android and PC applications, which indicates that
WebCloud is cross-platform and efficient.
As an interesting by-product, the design of WebCloud naturally embodies a dedicated and practical ciphertext-policy attribute-based
key encapsulation mechanism (CP-AB-KEM) scheme, which can be useful in other applications.
Index Terms—Web-Based Cloud Storage, Secure Data Sharing, Cross-Platform Encryption/Decryption Solution, Attribute-Based
Encryption
F
1 I NTRODUCTION
is inflexible and inefficient. A sender needs to obtain and supporting revocation [22]. However, existing CP-ABE
and specify the public keys of all receivers during schemes do not combine state-of-the-art techniques, and
encryption. Even worse, the size of the ciphertext cannot achieve efficient data encryption, robust and im-
and encryption workload are proportional to the mediate user revocation, offline encryption and outsourced
number of recipients, resulting in greater bandwidth decryption simultaneously.
and storage costs and more user expenditure.
Limitations of the Existing Solutions. Three drawbacks exist in 1.2 Our Results
above-mentioned solutions: 1) comparatively poor security, We view our contribution as the uniform design, rigorous
2) coarse-grained access control, inflexible and inefficient file analysis and efficient implementation of WebCloud, in par-
sharing, and 3) poor usability. The first two are easy to see ticular, it simultaneously achieves the following:
and we now elaborate the usability issue. Typically, users
use different terminals to upload files, including desktop, • Practical Encryption Solution for Cloud Storage.
Web and mobile applications [14]. However, almost all the We introduce WebCloud, a practical client-side en-
existing solutions require additional software or plugins, cryption solution for public cloud storage, which
thus limiting users’ devices and platforms. When switching effectively combines modern Web techniques and
to a new device, users need to repeat the boring instal- cryptographic algorithms. WebCloud involves of a
lation process, which greatly increases users’ burden thus key management mechanism, a dedicated attribute-
decreases usability. based encryption scheme and a high-speed imple-
mentation. More importantly, WebCloud is cross-
1.1 Design and Challenges platform (including major browsers, Android and
PC) and plugin-free.
In this work, we focus on designing and implementing a • Fine-Grained Access Control Mechanism with
practical, secure and cross-platform public cloud storage ABE. It is widely-accepted that attribute-based en-
system. The proposed solution, WebCloud, is a Web-based cryption (ABE) is promising for fine-grained ac-
client-side encryption solution. Users encrypt and decrypt cess control of data. However, we find that the
their data using Web agents, e.g., Web browsers. For the en- existing ABE schemes suffer from high computa-
cryption algorithm, a secure and efficient Ciphertext-Policy tional overhead, or some vital missing functional-
Attribute-Based Encryption (CP-ABE) scheme is proposed, ities, e.g., inefficient data encryption, robust and
which achieves encryption and access control simultane- immediate user revocation, offline encryption and
ously. The cloud service serves as a storage backend and outsourced decryption simultaneously. To solve this
does not handle users’ secret keys. Specifically, WebCloud problem, we propose a dedicated ciphertext-policy
admits a uniform design and addresses all the three men- attribute-based access control mechanism. The pro-
tioned limitations: 1) The security of WebCloud relies on the posed scheme can also be used in other scenarios.
security of the proposed CP-ABE and cryptographic keys; 2) • Rigorous Security Analysis. We present a secu-
The file sharing functionality is flexible and efficient, allow- rity model of WebCloud, including the adversarial
ing one ciphertext to be decrypted by many receivers; and models for the Web and the cryptographic scheme
3) WebCloud is cross-platform and works on any popular simultaneously. The security analysis is then done in
browser, without any plugin installed. the proposed model, namely, the provable security
We discuss our design rationality and point out the of the proposed CP-ABE scheme and the reliability
related challenges. Recent advances of Web technology, of the key storage in the browser side.
namely Web browsers, have greatly enhanced security and • Efficient Operation inside Browsers. We implement
usability across different platforms. On the one hand, new WebCloud based on ownCloud [23]. The function-
features such as Web Cryptography API [15] and We- alities and performances are evaluated in major
bAssembly [16] are introduced. On the other hand, to- browsers on many devices, and applications on PC
day’s personal computers and mobile devices have Web and Android devices. The benchmark result indicates
browser installed by default. Therefore, it is promising to that WebCloud is a practical solution. Most remark-
use browser as the encryption engine. However, efficient ably, in the Chrome browser on a 4-core 2.2 GHz
combination of Web techniques and cryptographic schemes Macbook machine, encrypting a 1 GB file takes 3.1
is completely nontrivial since each technique has its own seconds, while decryption costs 3.9 seconds.
suitable scenarios.
Certain cryptographic schemes have appealing proper- We describe a scenario of WebCloud. When used inside
ties to be adopted in cloud computing scenario. In par- a corporation, the company itself generates and distributes
ticular, CP-ABE [17] has many applications in cloud data secret keys, and any public cloud service can be adopted as
protection and sharing, since it provides fine-grained (non- the cloud server. When an employee joins into the company,
interactive) access control and encryption simultaneously. he/she registers with a set of attributes, e.g., (“IT Depart-
In CP-ABE, an access policy is embedded into a ciphertext, ment”, “Man”), and obtains a secret key. The employee
thus allowing many recipients to decrypt the ciphertext. shares files with others by encrypting the files under a
It should be promising to use CP-ABE as the encryption specific access policy, e.g., “IT Department and Manager”,
scheme in a client-side encryption solution. A lot of work using CP-ABE on a Web browser. The ciphertexts are then
has been done on CP-ABE, e.g., proposing new construc- uploaded to the cloud. Employees who satisfy the access
tions [18], optimizing computation efficiency [19], [20], [21] policy can download the ciphertext and decrypt on their
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022 3
browsers. The company has no need to build its own cloud an access policy and the key to a set of attributes. A user
infrastructure and each employee can use personal com- can decrypt a ciphertext if the set of attributes satisfies the
puters or mobile devices to access the cloud. An employee access policy. In this work, CP-ABE is adopted as a building
is revoked from the system when he/she resigns from the block of WebCloud: each file has an access policy to indicate
company. the allowed receivers.
Organization. The rest of the paper is organized as follows. The complex pairing and exponentiation operations in
Section 2 recaps modern Web technologies and primitives. ABE are migrated by many works. Green et al. [19] intro-
Section 3 elaborates the design of WebCloud. Section 4 duced outsourced decryption into ABE systems such that
give detailed descriptions of the algorithms in WebCloud. the complex operations of decryption can be outsourced to
Section 5 gives rigorous security analysis and highlights nice a cloud server, only leaving one exponentiation operation
features of WebCloud. Section 6 demonstrates benchmarks for a user to recover the plaintext. Further, online/offline
of WebCloud on many devices. Section 7 gives the conclu- ABE [20] was proposed by Hohenberger and Waters, which
sion. splits the original algorithm into two phases: an offline
phase which does the majority of encryption computations
before knowing the attributes/access control policy and
1.3 Related Work
generates an intermediate ciphertext, and an online phase
In-Browser Cryptography. Both the Web community and which rapidly assembles an ABE ciphertext with the inter-
security researchers understand the importance and useful- mediate ciphertext after the attributes/access control policy
ness of in-browser cryptography and have made remarkable is fixed. Meanwhile, [20] proposed two scenarios about
efforts in this area. the offline phase: 1) the user does the offline work on his
JavaScript cryptographic libraries were developed for smartphone. 2) A high-end trusted server helps the user
ease of use of cryptography on browsers, for instance [24], with low-end device do the offline work.
[25], [26]. Many of these libraries have a large number of
downloads, e.g., 423,368 for OpenPGP.js [24] in total. The
2 P RELIMINARY
World Wide Web Consortium (W3C) noticed this trend of
using in-browser cryptography and as a solution proposed a 2.1 Modern Web Technologies
standard called Web Cryptography API [27], [15]. The stan- Web Cryptography API. The Web Cryptography API [15]
dard supports a few widely adopted standard algorithms, is a standard API for accessing cryptographic primitives in
e.g., AES and ECDSA, which is convenient for building JavaScript-based environments (e.g., browsers and Node.js).
several secure Web applications [28] including authenticated The API is only available within HTTPS. Actually, ma-
video services and encrypted communications via Web mail. jor Web browsers and operating systems already contain
Meanwhile, there are researches in the literature hav- well-verified and reviewed cryptographic algorithms. The
ing explored the idea of running cryptographic algorithms API simply exposes these algorithms to Web application
on Web browsers. [29] focused on using Identity-Based developers through a standardized interface. It contains a
Cryptography for client side security in Web applications cryptographically strong pseudo-random number generator
and presented a JavaScript implementation of their scheme. (CSPRNG) and supports a few widely used standards, e.g.,
They selected Combined Public Key cryptosystem as the en- AES and PBKDF2. Unfortunately, these primitives are still
cryption scheme to avoid complex computations involved in insufficient for building some novel cryptographic schemes,
bilinear pairing and elliptic curve. ShadowCrypt [30] allows e.g., pairing-based cryptography including Attribute-Based
users to transparently switch to encrypted input/output for Encryption. Even worse, this API does not specify storage
text-based Web applications. It requires a browser extension, mechanisms for cryptographic keys.
replacing input elements in a page with secure, isolated WebAssembly. WebAssembly [16] is a binary instruction
shadow inputs and encrypted text with secure, isolated format for stack-based virtual machine. It is designed as a
cleartext. [26] implemented several Lattice-based encryption portable target for compilation of high-level languages like
schemes and showed the speed performance on four com- C/C++/Rust, enabling deployment on the Web for client
mon Web browsers on PC. Their results demonstrated that and server applications. It can be invoked from JavaScript
some of today’s Lattice-based cryptosystems can already codes. WebAssembly aims at executing applications at na-
have efficient JavaScript implementations. Recently, [31] tive speed by taking advantage of common hardware capa-
constructed an efficient two-level homomorphic public-key bilities available on a wide range of platforms, including
encryption in prime-order bilinear groups and presented a mobile and IoT. The WebAssembly codes are shipped to
high-performance implementation using WebAssembly that users’ browsers along with other Web files (e.g., stylesheets),
allows their scheme to be run very fast on any popular Web compiled to binary codes on users’ browsers and optionally
browser, without any plugins required. cached in IndexedDB.
Attribute-Based Encryption. Attribute based encryption Web Storage. Browsers usually use Web Storage API or
(ABE) was first introduced by Sahai and Waters under the IndexedDB to store data. The Web Storage API provides
name fuzzy identity-based encryption [32]. Goyal et al. [33] mechanisms to store key/value pairs, in a much more
extended fuzzy IBE to ABE. Up to now, there are two intuitive fashion than using cookies. The API includes tem-
forms of ABE: key-policy ABE (KP- ABE) [33], [34], [35], porary storage sessionStorage (available for the duration
[36], where the key is assigned to an access policy and the of the page session) and persistent storage localStorage
ciphertext to a set of attributes, and ciphertext-policy ABE (can be persisted even when the browser is closed and
(CP-ABE) [17], [37], [38], where the ciphertext is assigned to reopened). It contains megabyte storage, usually 5 MB for
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022 4
File
TC
1) PK, CSK, TKu
T
0
CT Upload
3) c. Online encryption
Data consumer’s browser Public cloud
1) PK 1) PK
3) a. Offline encryption 4) a. Request files
2) RKu CUS KUS
Browser Browser 4) c. User decryption
2) MFAKE RKu
PKG (root CA)
6) a. User revocation
Download SS SS
3) b. Set policy 2) MFAKE 4) d. Download files
and upload files Dec.User TCT
Dec.Out CTInit
Key
AES Decrypt CTAES
1) User registration
Data Owner Data Consumer
Storage
File
to forge Web origins [48], since this undermines the security • MFAKE submodule helps to establish a secure chan-
of any Web application. nel for retrieval key distribution. We implement the
Data Security against User Collusion. In this model, some MFAKE protocol proposed in [43].
users and the cloud can collude in arbitrary manner, e.g.,
they can obtain some cryptographic keys RKu , TKu and
cloud secret key CSKctr . They try to decrypt files that The storage module implements a cache storage layer
beyond their authorized access rights. We formalize it with in IndexedDB, which allows to store and obtain users’
Definition 1 in Appendix B. encrypted retrieval keys RKu . Meanwhile, it also maintains
a cache in sessionStorage, which contains intermediate
Data Security against Cloud Server. The public cloud, who
ciphertexts (generated by offline encryption).
can obtain CSKctr , the conversion key TKu of all the users,
and all the ciphertexts, cannot decrypt the ciphertexts. We M2. WebCloud Storage. This module also works in users’
formalize it with Definition 2 in Appendix B. browsers and provides access and query routines of Web
User Revocation Validity. In this model, a revoked user, storage, which is used by the storage management submod-
who can obtain his/her secret keys (SKu , TKu , RKu ), cannot ule of M1. It provides storage in browsers for the Web-
decrypt files within its authorized access rights. We formal- Cloud system, including data consumers’ retrieval keys in
ize it with Definition 3 in Appendix B. IndexedDB and intermediate ciphertexts in sessionStorage.
M3. Cloud Crypto Module. This module implements cryp-
tographic routines at the server side, which includes follow-
3.3 Deployment Architecture ing submodules.
As shown in Fig. 2, WebCloud consists of four functional
modules (M1 to M4). • CP-AB-KEM2 submodule implements the CUS, KUS,
M1. WebCloud Core. This module works in a user’s DS services in the cloud. It includes ciphertext initial-
browser and contains crypto and storage modules. The ization and outsourced decryption routines, i.e., al-
crypto module further implements following submodules. gorithms CTInit, CSKUpdate, CTUpdate, and Dec.Out.
This submodule relies on MCL-C [49].
• CP-AB-KEM1 submodule includes offline and on- • Utility submodule contains useful functionalities, in-
line encryption, i.e., algorithms Enc.Offline and cluding file processing, logging functionality.
Enc.Online. Meanwhile, the submodule implements • Serialization submodule converts bytes to ABE ci-
LSSS and converter from access policy string to ac- phertext CT0 and converts transformed ciphertext
cess structure. The converter can convert an access TCT to bytes.
policy string, e.g., “(Employee and IT department) • Revocation submodule maintains the revocation list
or Manager” to an access structure (M, ρ). To the L. It provides add, delete and query functions of the
best of our knowledge, it is the first time that LSSS list L to other submodules.
and the converter are implemented in JavaScript
environment. This submodule takes advantage of
WebAssembly by adopting MCL-WASM [49]. M4. Key Management. This module works in PKG and
• Utilization submodule packs some useful routines, contains two modules. The authentication module authenti-
e.g., encrypting users’ retrieval key RKu , deriving cates users’ identities via the multi-factor authenticated key
AES key using PBKDF2, AES encryption and decryp- exchange (MFAKE) protocol [43]. The key storage module is
tion etc. These routines invoke the Web Cryptogra- responsible to store users’ retrieval key securely and return
phy API. a user’s key on receiving an authenticated user’s request.
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
6
M3. Cloud Crypto Module M1. WebCloud Core (JavaScript) M2. WebCloud Storage M4. Key Management
HTTPS HTTPS
CP-AB-KEM2 Utility IndexedDB sessionStorage
Crypto Module Utilization Storage Module
Intermediate Authentication
Serialization Revocation Key User Key Object id Key Storage
Storage Ciphertext Module
MFAKE CP-AB-KEM1 User1 Encrypted RK1 Module
Management 1 IT1 (MFAKE)
User2 Encrypted RK2
MCL-C Storage 2 IT2
Web Web … … … …
MCL-WASM
Worker Cryptography API
PBKDF2 Hashing
User Master Password
4.1 Description of Algorithms (100,000 rounds)
We now elaborate the algorithms of WebCloud (cf. Fig. 1). Data Consumer
AES Key
Some acronyms are listed in Table 1. Browser
Indexed DB Memory
MFAKE
Encrypted RKu AES-128 RKu
TABLE 1: Acronyms Used in This Paper Encryption/Decryption
PKG
Kj,2 = g rj , Kj,3 = (uAj h)rj · v −r . PKG outputs a secret key Data Owner CT0 and AES CTctr and AES
Indexed DB ciphertext ciphertext
SKu = (S, K0 , K1 , {Kj,2 , Kj,3 }j∈[1,k] ). IT
Online Encryption
Intermediate Ciphertext Ciphertext Initialization
KG.Random(PK, SKu ). On input a public key PK and a secret (including ABE and AES)
tion procedure is divided into three parts as depicted in Public Cloud Server Data Consumer’s Browser
Fig. 4. The encryption is in the KEM/DEM setting.
Cloud Storage RKu
Offline encryption in browser (before an access policy is
known): This algorithm processes almost all the costly oper- CTctr and AES
ciphertext TCT and AES
ations in the encryption algorithm of CP-AB-KEM. On open- ciphertext User Decryption
ing the WebCloud website, a Web worker (cf. Section 2.1) is Outsourced Decryption (including ABE and
created in background. During idle time, the worker runs AES)
Checks user validaty File
the algorithm Enc.Offline() to generate a few intermediate
Revocation List
ciphertexts IT and keys Key. Idle time is defined as: a) no
online encryption part is running, b) no user decryption
part is running, and c) no AES encryption or decryption Fig. 5: Data Decryption Procedure of WebCloud
is running. We store (IT, Key) in sessionStorage, which
is erased automatically by browsers after the Web page is
closed. load request, the cloud server checks that whether the user
Online encryption in browser (after an access policy string has been revoked. If revoked, the cloud rejects the request.
and a file are given): The data owner uploads a file and Otherwise, it finds the requested file from the cloud storage,
specifics an access policy string, e.g., “(Employee and IT parses CTctr from the file and transforms CTctr to TCT by
department) or Manager”. Note that the policy string is calling the algorithm Dec.Out(). The cloud packs TCT and
a flexible logic expression, which supports “and”, “or” AES ciphertext as a new file and returns the new file as a
and “()” operations. The policy string is converted to an response to the request.
access structure (M, ρ). Meanwhile, a pair of (IT, Key) is User decryption in browser: In the browser side, TCT is
obtained from sessionStorage. On input the access policy parsed from the response. If the retrieval key RKu already
(M, ρ) and the intermediate ciphertext IT, the algorithm exists in the browser memory, the key is used directly.
Enc.Online() generates ABE ciphertext CT0 . The input file Otherwise, the retrieval key RKu is obtained as in 2) Key
is encrypted with AES, using a 128-bit key derived from Management. The algorithm Dec.User() is invoked to de-
Key and a random initialization vector (IV). All necessary crypt TCT to obtain encapsulated key Key. We derive the
data including ABE ciphertext CT0 and AES ciphertext, are same AES key as in the encryption procedure. Finally, we
packed together and forms a new file before uploading to decrypt the file with AES.
the cloud server. The above-mentioned algorithms are as follows:
Ciphertext initialization in cloud: On receiving the up- Dec.Out(PK, CSKctr , TKu , CTctr ). On input a public key PK,
loaded file, the cloud parses ABE ciphertext CT0 from the a cloud secret key CSKctr = (cskctr , ctr), a conversion key
file. It processes CT0 to CTctr by calling the algorithm
0
TKu = (S, K00 , K10 , {Ki,2 0
, Ki,3 }i∈[1,k] ) for an attribute set S
CTInit() and replaces CT0 with CTctr in the file. Finally, the and a ciphertext CTctr for access structure (M, ρ), if S does
updated file is stored in the cloud. not satisfy the access structure, the cloud server outputs
The above-mentioned algorithms are as follows: ⊥. Otherwise, it calculates a set I = {i : ρ(i) ∈ S}
and computers the constants {ωi ∈ Zp }i∈I such that
Enc.Offline(PK, N 0 ). On input a PK and a maximum bound P
of N 0 rows in any LSSS access structure, the Web worker i∈I ωi · Mi = (1, 0, . . . , 0), where Mi is the i-th row of
the matrix M . It then computes:
in data owner’s browser picks 3N 0 + 1 random elements
s, {λ0i , xi , ti }i∈[1,N 0 ] ∈ Z∗p , and computes Key = e(g, g)αs , 0
P Y
B =e(w i∈I Ci,4 ωi , K10 ) · e(Ci,10
, K10 )ωi
C0 = g s . For i = 1 to N 0 , it then computes: Ci,1 = i∈I
0
wλi v ti , Ci,2 = (uxi h)−ti , Ci,3 = g ti . The Web worker out- ·
Y
0
(e(Ci,2 ·u
0
Ci,5 0
, Kj,2 ) 0
· e(Ci,3 0
, Kj,3 ))ωi
puts: IT = (s, Key, C0 , {λ0i , xi , ti , Ci,1 , Ci,2 , Ci,3 }i∈[1,N 0 ] ). i∈I
Enc.Online(PK, (M, ρ), IT). On input a public key PK, an
LSSS access structure (M, ρ) [51], where M is an l×n matrix, The cloud outputs TCT = (e(C00 , K000 )/B)cskctr =
an intermediate ciphertext IT, data owner’s browser picks e(g, g)αs/τ .
n − 1 random elements (y2 , . . . , yn ) ∈ Z∗p and constructs a Dec.User(TCT, RKu ). On input a TCT and a retrieval key
vector → −y = (s, y2 , . . . , yn )T . It then computes a vector of RKu = τ , data consumer’s browser outputs the encapsu-
shares of s as (λ1 , . . . , λl )T = M → −y . For i = 1 to k , compute lated key Key = TCTRKu = e(g, g)αs .
0
Ci,4 = λi − λi , Ci,5 = ti (xi − ρ(i)). The browser outputs:
CT0 = ((M, ρ), C0 , {Ci,1 , Ci,2 , Ci,3 , Ci,4 , Ci,5 }i∈[1,l] ). Public Cloud Server
CTInit(CT0 , CSKctr ). On input a ciphertext CT0 and a cloud CSK1 CSK Update CSK2 … CSKctr CSK Update CSKctr’
secret key CSKctr = (cskctr , ctr), the public cloud computes CSKctr ∆ctr’
1/csk 1/csk
C00 = C0 ctr . For i = 1 to l, it computes: Ci,1 0
= Ci,1 ctr , Cloud Storage CTctr Cloud Storage
1/csk 1/csk (CTctr and AES Ciphertext Update (CTctr’ and AES
0 0 0 0
Ci,2 = Ci,2 ctr , Ci,3 = Ci,3 ctr , Ci,4 = Ci,4 /cskctr , Ci,5 = ciphertexts) ciphertexts)
0 0
Ci,5 /cskctr . The cloud outputs: CTctr = ((M, ρ), C0 , {Ci,1 ,
0 0 0 0
Ci,2 , Ci,3 , Ci,4 , Ci,5 }i∈[1,l] ). Fig. 6: Cloud Secret Key Update Procedure of WebCloud
4) Data Decryption. As depicted in Fig. 5, file decryption
is divided into two parts where the cloud server performs 5) Cloud Secret Key Update. The cloud secret key CSK is
almost all heavy computation. of great importance to the revocation mechanism. If CSK
Outsourced decryption in cloud: On receiving a file down- leaks, the user revocation functionality is in vain. Therefore,
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
8
we update CSK periodically or in emergency situations (e.g., in [19], [20], [52], and combines the immediate user revo-
CSK is leaked or stolen). cation mechanism in [53]. For completeness, we give the
Cloud Secret Key Update: This procedure is depicted in syntax in Appendix A and elaborate the scheme in the
Fig. 6. Assume current cloud secret key is CSKctr . When supplementary material. We emphasize that this CP-AB-
CSKctr is required to be updated, the public cloud server KEM is useful in many scenarios.
invokes the algorithm CSKUpdate() to generate a new key Correctness: We require the standard correctness
CSKctr0 and an increment ∆ctr0 . The cloud then updates all property: for an attribute universe U , a user iden-
stored ABE ciphertexts CTctr to CTctr0 by calling the algo- tity U and λ, N, N 0 ∈ N, for all (PK, MSK, CSK1 ) ∈
rithm CTUpdate(). Once all ciphertexts have been updated, Setup(λ, U ), all SKu ∈ KG(S, MSK), all (RKu , TKu ) ∈
the cloud sets current secret key to CSKctr0 , and deletes KG.Random(SKu ), all IT ∈ Enc.Offline(PK, N 0 ), all CT0 ∈
CSKctr and all old ABE ciphertexts CTctr from its storage. Enc.Online(PK, (M, ρ), IT), all CTctr ∈ CTInit(CT0 ,
The above-mentioned algorithms are as follows: CSKctr ), all (CSKctr0 , ∆ctr0 ) ∈ CSKUpdate(PK, CSKctr ),
CSKUpdate(PK, CSKctr ). On input a public key PK and all CTctr0 ∈CTUpdate(ctr0 , CTctr0 −1 , ∆ctr0 ), all TCT ∈
a cloud secret key CSKctr = (cskctr , ctr) where ctr ∈ Dec.Out(PK, CSKctr , TKu , CTctr ), if S satisfies (M, ρ) and
{1, 2, . . .}, the cloud server updates the counter ctr0 = ctr+1 the user u was not revoked, Dec.User (TCT, RKu ) outputs
and picks a random element βctr0 ∈ Z∗p , computes cskctr0 = the encapsulated Key.
Qctr0
cskctr · βctr0 = Security: The security proof of the proposed CP-AB-
i=1 βi . The cloud outputs the updated
cloud secret key CSKctr0 = (cskctr0 , ctr0 ) and the increment KEM scheme is given in Appendices B and C.
∆ctr0 = βctr0 .
CTUpdate(ctr0 , CTctr0 −1 , ∆ctr0 ). On input an updated 4.3 Security Enhancement of PKG
counter ctr0 ∈ {2, 3, . . .}, a ciphertext CTctr0 −1 =
In the WebCloud system, all users’ secret key are derived
((M, ρ), C0 , {Ci,1 , Ci,2 , Ci,3 , Ci,4 , Ci,5 }i∈[1,l] ) and an in-
from the master secret key MSK, which is stored in the
crement ∆ctr0 = βctr0 , the cloud server computes
1/β trusted PKG. In reality, a single point of failure, e.g., loss of
C00 = C0 ctr0 . For j = 1 to l, the cloud computes
0 1/β 0 1/β 0 1/β 0
MSK, will immediately lead to system failure. It is of great
Ci,1 = Ci,1 ctr0 , Ci,2 = Ci,2 ctr0 , Ci,3 = Ci,3 ctr0 , Ci,4 = importance to provide simple mechanisms to enhance the
0
Ci,4 /βctr0 , Ci,5 = Ci,5 /βctr0 . It outputs: CTctr = security of MSK and the system.
((M, ρ), C00 , {Ci,10 0
, Ci,2 0
, Ci,3 0
, Ci,4 0
, Ci,5 }i∈[1,l] ). An effective way is secret sharing, i.e., splitting the MSK
6) Key and User Revocation. WebCloud supports both key into multiple pieces. Without loss of generality, we consider
and user revocation, and does not support attribute revoca- a (t, n) threshold scheme.
tion. To revoke a user key, PKG runs KG(S, MSK) to generate As shown in Fig. 7, there are 1 root PKG, n child PKGi
a new secret key SK0u and KG.Random(PK, SK0u ) to obtain (1 ≤ i ≤ n) and a combiner PKGc . PKG is responsible for
RK0u and TK0u . PKG replaces RKu with RK0u and distributes generating PK, MSK and n shares of α, and distributes the
TK0u to the public cloud, who deletes previous transforma- i-th share MSKi to PKGi . When generating a user’s secret
tion key TKu directly. The key revocation is taken effect key SKu , PKGi generates a partial secret key SKu,i using its
immediately after the cloud updates its transformation key. share. The combiner PKGc combines any t partial keys to
To revoke a user from the system, PKG sends a revocation SKu , and invokes KG.Random to obtain TKu and RKu .
request to the public cloud server to revoke a data consumer,
where the cloud inserts an entry to the revocation list L
by calling the algorithm Revoke(). The revocation is taken
effect immediately after the insertion. On receiving a user’s Cloud User
file download request, the cloud compares the user identity SK 1 TK
P K, C 𝑢
u against the list L and rejects the request if a match is RK𝑢
found. Without the help of the cloud, data consumers cannot
decrypt files individually. The size of the list L is the same MSK𝑖 SK %,'( , … , SK %,'*
as the number of revoked user in the system. Many efficient root PKG PKGi PKGc
1≤𝑖≤𝑛
algorithms exist for finding an element from a(n) (ordered)
list e.g., binary search or hash table.
Fig. 7: Secret Sharing of Master Secret Key
The above-mentioned algorithms are as follows:
Revoke(u, L). On input a user identity u, and a revocation † The root PKG exits the system after setup. Any t child PKGi , the
combiner PKGc , the cloud and optionally the user, should stay online.
list L = {(id)} where id is the user identity, the cloud server
adds an entry (u) to the list L, i.e., L0 = L ∪ {(u)}.
Note that we only change system setup and user secret
key generation phases. Other phases are processed as in
4.2 A Tailored CP-AB-KEM for WebCloud Section. 4.1. After the setup phase, the root PKG is removed
Ciphertext-policy attribute-based key encapsulation mech- from the system. To make the system work, any t out of n
anism (CP-AB-KEM) is an important component for Web- child PKGi and also the combiner PKGc should stay online.
Cloud (Section 4.1). It simultaneously achieves offline en- This makes the combiner PKGc an attractive attack target.
cryption and outsourced decryption, robust and immediate In Section 5.1, we show that compromise of PKGc does not
user revocation, while only a small number of computations reveal MSK. However, user secret keys generated after the
are left to the user. The proposed CP-AB-KEM derives from compromise may be leaked. Offline of PKGc or great than
the offline encryption and outsourced decryption techniques n − t child PKGi will affect the usability, but not the security
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022 9
of the system, i.e., the user secret key generation service will Security of the Master Secret Key. We discuss the security of
be temporarily unavailable. the secret sharing in Section 4.3. PKG invokes the algorithm
In this work, we use Shamir’s Secret Sharing [54]. Setup0 to generate and distribute shares of α. After that, the
Qt `i (x)
Let
x−xm
denote the Lagrange polynomial: `i (x) = quantity α, all n points and the polynomial f (x) are erased
m=1 ( xi −xm ). completely. In the Combine algorithm, the combiner takes
m6=i
Following algorithms are defined: t partial user secret key where each key contains a share.
Setup0 (λ, U ). On input a security parameter λ and an at- Note that each share is given in the form (xi , g yi wri ) and
tribute universe U , PKG performs following actions: the Lagrange polynomials are computed in the exponent.
Since ri are randomly selected by PKGi , g yi wri is indistin-
1) Chooses a bilinear map D = (G, GT , e, p), where guishable from a random group element. The finally com-
p ∈ Θ(2λ ) is the prime order of groups G and GT . puted K0 = g α wr is also indistinguishable from a random
The attribute universe U consists of elements in Z∗p . element. This is actually an Elgamal ciphertext. Thus, the
2) Chooses random generators g, h, u, v, w ∈ G, picks combiner cannot extract α from its inputs. Certainly, t PKGi
two random elements α, β1 ∈ Z∗p . can corrupt to construct the polynomial f (x) to obtain α.
3) Determines the parameters n (number of child This can be migrated by increasing the value of t and letting
PKGs) and t (number of minimal PKGs to construct each PKGi be a different company.
a user secret key). Security of retrieval keys. The retrieval key RKu is ob-
4) Selects t − 1 random elements a1 , . . . , at−1 from Z∗p , tained from PKG after the user is authenticated with the
and constructs f (x) = α + a1 x + · · · + at−1 xt−1 . MFAKE protocol [43] and only used in the browser memory.
It then generates n random points (xi , yi ) (i ∈ Meanwhile, if RKu is not used for a period of time (e.g., 30
{1, . . . , n}) where xi is randomly selected from Z∗p minutes), it is erased from the memory.
and yi = f (xi ). Optionally, RKu can be encrypted with a user master
5) Erases α and also the polynomial f (x) completely. password and stored in IndexedDB. When necessary, i.e., on
6) Sets a counter ctr = 1. Finally, PKG outputs: PK = decrypting files, the user is required to input the user master
(D, g, h, u, v, w, e(g, g)α ), n partial master secret key password to decrypt RKu . Note that our usage of password
MSKi = (xi , yi ) and CSK1 = (csk1 = β1 , ctr). is different from the existing password-based solutions as
KG0 (S, MSKi ). On input an attribute set S = (A1 , . . . , Ak ) mentioned in Section 1, where the password-protected file is
and a point MSKi = (xi , yi ), PKGi picks a random element transmitted over a public channel and the password cannot
ri ∈ Z∗p and computes Ki,0 = g yi wri , Ki,1 = g ri . For j from be changed once the file is sent, where an offline brute-
1 to k , it picks random ri,j ∈ Z∗p and computes Ki,j,2 = force search is possible in that scenario. In WebCloud, we
g ri,j , Ki,j,3 = (uAj h)ri,j · v −ri . PKG outputs a partial secret only store the encrypted retrieval keys locally and require
key SKu,i = (S, xi , Ki,0 , Ki,1 , {Ki,j,2 , Ki,j,3 }j∈[1,k] ). the password to be updated periodically, e.g., 7 days. So,
Combine(SKu,i1 , . . . , SKu,it ). On input t partial user secret obtaining the ciphertexts should be difficult, and a short
keys SKu,im where m ∈ [1, t], im ∈ [1, n] and all im are dif- update period with possible usage of salt will make offline
brute-force search attach useless.
ferent, thePcombiner PKGc first computes
t Ptt quantities `im (0).
Let r = m=1 ri m · ` i m (0). Let r j = m=1 rim ,j · `im (0).
Security of the encapsulated key. During offline encryption
Qt `im (0)
It then Q computes K0 = m=1 (K im ,0 ) = g α · wr , phase, several intermediate ciphertexts IT and encapsulated
t `im (0) r key Key are generated. When encrypting a file, an AES key
K1 = m=1 (KimQ ,1 ) = g . For j from 1 to k , it
t `i (0) is derived from the encapsulated key Key. If an adversary
computes:
Qt K j,2 = m=1 (K i m ,j,2 ) m = g rj and Kj,3 =
`im (0) Aj rj −r
= (u h) · v . The user secret obtains Key, he can decrypt the file. Thus, we store IT and
m=1 (Kim ,j,3 )
key is SKu = (S, K0 , K1 , {Kj,2 , Kj,3 }j∈[1,k] ). The combiner Key in sessionStorage, which will be erased after the Web
invokes KG.Random(PK, SKu ) to generate RKu and TKu . page is closed, to avoid being persistent.
Security of AES keys. The AES algorithm is used in
WebCloud for many times. The AES keys are derived using
5 A NALYSIS OF W EB C LOUD
the Web Cryptography API with the field extractable set
5.1 Security Analysis to false, meaning that the keys cannot be obtained by
In this section, we analyze WebCloud in the security models JavaScript codes and exported outside of the browser.
defined in Section 3.2. Security of the proposed CP-ABE. The security of the pro-
Passive Man-in-the-Middle. In this attack model, the at- posed CP-ABE is given in Theorem 1 and the the security
tacker observes all network traffic, thus he may be able proof is postponed to Appendix B.
to find out the access policy of each file and notice that a
data consumer is uploading or downloading files. But due Theorem 1. The proposed ciphertext-policy attribute-based en-
to the IND-CPA property of used encryption schemes (CP- cryption mechanism can achieve Data Security Against User
AB-KEM and AES-GCM/AES-CBC), the adversary cannot Collusion in Definition 1, Data Security Against Cloud Server in
learn the content of encrypted files. Definition 2, User Revocation Validity in Definition 3, if the CP-
Web Attacker Model. It is typically impossible to prove the ABE scheme in [55] is selective Chosen Plaintext Attack (CPA)-
security of a complex Web application in the Web attacker secure.
model – even Google’s websites suffer from vulnerabilities
under this attacker model. However, in WebCloud, the main
attack target would be the cryptographic keys. We highlight 5.2 Features Analysis
the protection mechanisms of keys in WebCloud: We highlight a few nice properties of WebCloud.
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
10
Revocation Performance
Scheme Security Level Cross-Platform File Sharing
Mechanism Immediate Single Receiver N Receivers
Password-Based solutions Low × × × Inflexible Fast Depends on N
RSA-AES paradigm High ×
√ CRL, OCSP ×
√ Inflexible Fast Depends on N
Ours High Server-Aided Flexible Fast Fast
Data Privacy. In WebCloud, all files are encrypted and Comparing with existing solutions, WebCloud has two
decrypted locally, i.e., in browsers. The cloud only sees main innovations:
ciphertext and deals with ciphertext. 1) We propose and adopt a dedicated CP-AB-KEM
Flexible File Sharing. By assigning an access policy to scheme as the encryption algorithm. This provides
each file, an encrypted file can be decrypted by multiple WebCloud with high-level security and flexible file
data consumers as long as their attributes satisfy the access sharing.
policy. The user only encrypts a file one time and the cloud 2) We use Web context as the encryption environment.
only stores one copy of each encrypted file. In a corporation This provides WebCloud with cross-platform.
scenario, an employee can share a file with all managers of
This provides many practical advantages for WebCloud.
the sales department by setting the access policy to “Sales
Security. The security of password-based solutions relies
Department and Manager”, without the need to find out
on low-entropy passwords, thus the security level is typi-
who are the concrete receivers or their public keys as in the
cally low, i.e., tens of bits [10]. In contrast, the security of
password-based solutions and RSA-AES paradigm. If a new
RSA-AES paradigm and WebCloud bases on the crypto-
employee is hired, he can decrypt all the ciphertexts that
graphic keys. When adopting appropriate parameters and
match his/her attributes immediately. In existing schemes,
key lengths, i.e., RSA-3072 and AES-128, the security level
manually encryption and sharing to the employee are re-
achieves at least 128-bit. In above analysis, we assume the
quired.
adopted cryptographic primitives are provably secure.
User and Key Revocation. The revocation mechanism is ef-
Usability. Both the existing client-side encryption solutions
ficient and immediately effective. The cloud server revokes a
and WebCloud allow users to encrypt and decrypt on their
data consumer by adding the consumer to the revocation list
devices. However, for above mentioned client-side solu-
L. On receiving a consumer’s download request, the cloud
tions, they require addition software, browser plugins for
checks the list L and rejects revoked consumers’ requests.
each operating system and browser. In contrast, WebCloud
The key revocation is achieved by requiring PKG to regen-
doesn’t require any additional software or plugins. It effec-
erate a new SKu and related (RKu , TKu ), and distributes
tively combines state-of-the-art Web techniques, including
RKu to the user and TKu to the cloud server. Web Cryptography API, WebAssembly, thus can be accessed
Usability and Efficiency. WebCloud only requires a Web in any Web context, e.g., Web browsers in desktop comput-
user agent and does not require any additional software, ers and mobile phones, WebView in Android applications,
Java applet or browser plugin. WebCloud is fully optimized native application using Electron framework. Usually, Web
in two aspects: a) The proposed CP-AB-KEM scheme is very browsers are installed by default on today’s devices.
suitable for browser side cryptography, which moves almost Revocation. Password-based encryption schemes have no
all costly computations offline and outsourced, and b) The user management or revocation mechanisms. Relying on
implementation fully utilize power of modern Web tech- PKI, RSA-AES paradigm can adopt Certificate Revocation
niques, including WebAssembly, Web Cryptography API, List (CRL) and Online Certificate Status Protocol (OCSP)
Web Workers and Web storage. The functionalities and per- to achieve certificate revocation, i.e., user revocation. Web-
formance are tested in major browsers on different devices, Cloud adopts a server-aided revocation mechanism, which
including both laptops and mobiles (cf. Section 6.2). supports both user and key revocation. The time required
Cloud Server Key-Exposure Resistance. The cloud secret for the revocation to take effect depends on the response of
key CSK is important to the revocation mechanism. If the cloud server, which should take effect immediately in
CSK leaks, the revocation functionality is useless. Thus, most cases.
WebCloud introduces key-exposure resistance property for File Sharing. Password-based solutions have no file sharing
CSK. Concretely, the cloud updates CSK periodically (or or access control mechanisms. Users need to manually share
when key is leaked). Meanwhile, it updates all stored ABE the data to all receivers. For RSA-AES paradigm, the sender
ciphertexts and deletes old ciphertexts when the CSK is must collect all receivers’ public keys and encrypt under
updated. those keys, resulting in large storage space and increased
workload. Leveraging CP-ABE, WebCloud can encrypt a
file under a possibly complicated access policy of receivers.
5.3 Comparisons with Related Work
Even a future-joined user can decrypt the ciphertexts with-
We compare WebCloud with existing client-side cloud data out any interaction and workload of the data sender.
protection solutions in terms of security, usability, revoca- Most of research on ABE focused on theoretical aspects,
tion, and performance (cf. Table 2). The comparison of the including proposing new constructions, reducing the com-
proposed CP-ABE scheme and other CP-ABE schemes are putation complexity, etc. In this work, we aim at propos-
given in Section 6. ing a practical cloud storage solution and implementing
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
11
Scheme Enc.Online Dec.User Transfer Size (KG) Transfer Size (Enc) Transfer Size (Dec) Revocable
[55] (5l + 2)Exp (|I|)Exp + (3|I| + 1)P 0 0 |A| + (3l + 1)|G| + 1|GT | ×
[20] 0 (|I| + 1)Exp+(3|I| + 2)P 0 0 |A| + (3l + 1)|G| + 2l|Zp | ×
[52] 3Exp 3Exp 0 (3 + 3l)|G| + 3l|Zp | |A| + 1|G| + 1|GT | ×
[21] 1Exp 1Exp 2((2 + 2y)|G| + (2 + 2y)|Zp |) (4 + 6l)|G| + 4l|Zp | |A| + 1|GT | ×
√
Ours 0 1Exp 0 0 |A| + 1|GT |
‡ Exp and P denote a module exponentiation and a pairing computation, respectively. y, l and I indicate the number of attributes, the access policy
size, and the set that satisfies decryption requirement, respectively. |A|, |G| and |GT | denote the size of an access structure, an element in G and GT ,
respectively.
Time in milliseconds
Time in milliseconds
Safari on macOS Firefox on iOS Safari on macOS Firefox on iOS
Edge on Windows Chrome on Android 20 Edge on Windows Chrome on Android 40
3000 Native on macOS Native on macOS
15 30
2000
10 20
1000 5 10
0 0 0
10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100
# Policy attributes # Policy attributes # Policy attributes
Time in milliseconds
Time in milliseconds
Safari on macOS Firefox on iOS Safari on macOS Firefox on iOS
500
20 Edge on Windows Chrome on Android Edge on Windows Chrome on Android
150 Native on macOS 400 Native on macOS
15
100 300
10
200
50 5 100
0 0 0
10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 64
# Policy attributes # Policy attributes File size (MB)
(g) AES Decrypt Time (GCM) (h) AES Encrypt Time (CBC) (i) AES Decrypt Time (CBC)
700 700 700
Chrome on macOS Chrome on iOS Chrome on macOS Chrome on iOS Chrome on macOS Chrome on iOS
600 Firefox on macOS Safari on iOS
600 Firefox on macOS Safari on iOS
600 Firefox on macOS Safari on iOS
Time in milliseconds
Time in milliseconds
Time in milliseconds
Safari on macOS Firefox on iOS Safari on macOS Firefox on iOS Safari on macOS Firefox on iOS
500 500 500
Edge on Windows Chrome on Android Edge on Windows Chrome on Android Edge on Windows Chrome on Android
400 Native on macOS 400 Native on macOS 400 Native on macOS
0 0 0
10 20 30 40 50 60 64 10 20 30 40 50 60 64 10 20 30 40 50 60 64
File size (MB) File size (MB) File size (MB)
ning time is about 0.46∼5.32 ms. Most notably, even when 0.73∼2.15 ms for most browsers except Microsoft Edge,
the size of access structure increases to 100, the online en- which does not support PBKDF2 key deriving mechanism.
cryption part only requires 3.31 ms in Chrome. For mobiles We instead use the SJCL library [25], resulting 151 ms
browsers, the running time is about 0.81∼11.99 ms. Fig 8(c) latency for Edge. The AES encryption and decryption per-
presents running time of CTInit on the cloud server. On formance is tested with different file sizes (1, 2, 4, 8 and 16
macOS, the running time is about 4∼37 ms. On Ubuntu, the megabyte, respectively). All files are generated randomly.
running time is about 5∼52 ms. Fig 8(d) presents running Fig 8(f) - (i) present running time of AES encryption and
time of Dec.Out on the cloud server. On macOS, the running decryption in the GCM and the CBC modes, respectively.
time is about 22∼165 ms. On Ubuntu, the running time is As for the GCM mode, encrypting 64 MB data in Safari costs
about 25∼236 ms. Fig 8(e) presents running time of Dec.User 95 ms, with only 84 ms for decryption.
in browsers. For laptop browsers, the running time is about Benchmark for Large File Operations: We further tested
1.97∼3.35 ms. For mobiles browsers, the running time is files with sizes 128, 256, 512 and 1,024 MB in the Chrome
about 3.20∼13.99 ms. Actually, except Chrome on Huawei browser on macOS with an Apache server running on
Honor 10, other browsers have running time within 4 ms. macOS. Each instance is executed 100 times and the average
Benchmark of Data Encryption/Decryption: We also result is taken. Table 5 presents the total execution time of
benchmarked the data encryption/decryption routines, encryption and decryption. Note that we only computes
namely key deriving, encryption and decryption of AES. the actually time that will be noticed by users. The file
We omit the key deriving routine in Fig 8, which is small transmission time is omitted since it mainly depends on the
and stable in different browsers. Its running time is about network. For encryption, only Enc.Online, AES key deriving
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
13
and AES encryption are counted. For decryption, Dec.Out [6] M. Grant, “$93m class-action lawsuit filed against city
and Dec.User are counted. As shown in Table 5, the pro- of calgary for privacy breach,” Tech. Rep., October 2017.
[Online]. Available: http://www.cbc.ca/news/canada/calgary/
posed CP-AB-KEM scheme only adds less than 1% overhead city-calgary-class-action-93-million-privacy-breach-1.4321257
during encryption and decryption. The AES encryption and [7] (2020, April) Secure file transfer — whisply. [Online]. Available:
decryption occupy most of the execution time. Remarkably, https://whisp.ly/en
encrypt a 1 GB file uses about 3.1/4.1 seconds, while de- [8] (2020, April) Cryptomator: Free cloud encryption for dropbox
and others. [Online]. Available: https://cryptomator.org/
cryption costs 3.9/2.8 seconds, in the GCM/CBC mode.
[9] (2020, April) Whitepapers from spideroak. [Online]. Available:
Applications on Android and PCs: We pack WebCloud https://spideroak.com/whitepapers/
into a desktop application on macOS and a mobile applica- [10] W. Ma, J. Campbell, D. Tran, and D. Kleeman, “Password entropy
tion on Android. We perform the benchmark of CP-AB-KEM and password quality,” in Fourth International Conference on
and AES as above. The benchmark results have no notable Network and System Security, NSS 2010, Melbourne, Victoria,
Australia, September 1-3, 2010, Y. Xiang, P. Samarati, J. Hu,
differences with the results in the browser on the same W. Zhou, and A. Sadeghi, Eds. IEEE Computer Society, 2010, pp.
platform. This is because that the browsers use the same 583–587. [Online]. Available: https://doi.org/10.1109/NSS.2010.
engine, typically WebKit or Blink. The benchmark results 18
[11] (2020, April) Aws sdk support for amazon s3 client-side
are omitted.
encryption. [Online]. Available: https://docs.aws.amazon.com/
Comparisons with Native Libraries: We implement all general/latest/gr/aws sdk cryptography.html
algorithms in C++ using MCL-C library and OpenSSL li- [12] (2020, April) Cloud storage security - secure cloud storage from
brary. In Fig 8 (a)(b)(e)(f)(g)(h)(i), we present the running tresorit. [Online]. Available: https://tresorit.com/security
time of CP-AB-KEM and AES in C++ on macOS. Running [13] (2020, April) Mega - secure cloud storage and communication.
[Online]. Available: https://mega.nz/
algorithms natively is faster. Algorithms in CP-AB-KEM are [14] E. Bocchi, I. Drago, and M. Mellia, “Personal cloud storage: Usage,
about 7∼10 times faster than running that in browsers on performance and impact of terminals,” in 4th IEEE International
macOS. Native AES encryption is about 1.78 times faster Conference on Cloud Networking, CloudNet 2015, Niagara Falls,
and decryption is 4.75 times faster. Overall, the algorithms ON, Canada, October 5-7, 2015. IEEE, 2015, pp. 106–111. [Online].
Available: https://doi.org/10.1109/CloudNet.2015.7335291
run faster with native library, which is reasonable. [15] “Web cryptography api,” the Web Cryptography WG of
the W3C, Tech. Rep., January 2017. [Online]. Available:
https://www.w3.org/TR/WebCryptoAPI/
7 C ONCLUSION [16] A. Haas, A. Rossberg, D. L. Schuff, B. L. Titzer, M. Holman,
We propose WebCloud, a practical client-side encryption D. Gohman, L. Wagner, A. Zakai, and J. Bastien, “Bringing the
solution for public cloud storage in the Web setting, where web up to speed with webassembly,” in ACM SIGPLAN Notices,
vol. 52, no. 6. ACM, 2017, pp. 185–200.
users do cryptography with only browsers. We analyze [17] B. Waters, “Ciphertext-policy attribute-based encryption: An
the security of WebCloud and implement WebCloud based expressive, efficient, and provably secure realization,” in
on ownCloud and conduct a comprehensive performance International Workshop on Public Key Cryptography. Springer,
evaluation. The experimental results show that our solution 2011, pp. 53–70.
[18] W. Zhu, J. Yu, T. Wang, P. Zhang, and W. Xie, “Efficient attribute-
is practical. As an interesting by-product, the design of Web- based encryption from r-lwe,” Chin. J. Electron, vol. 23, no. 4, pp.
Cloud naturally embodies a dedicated CP-AB-KEM scheme, 778–782, 2014.
which is useful in many other applications. [19] M. Green, S. Hohenberger, B. Waters et al., “Outsourcing the
decryption of abe ciphertexts.” in USENIX Security Symposium,
vol. 2011, no. 3, 2011.
R EFERENCES [20] S. Hohenberger and B. Waters, “Online/offline attribute-
based encryption,” in International Workshop on Public Key
[1] “Vulnearability and threat in 2018,” Skybox Security, Tech.
Cryptography. Springer, 2014, pp. 293–310.
Rep., 2018. [Online]. Available: https://lp.skyboxsecurity.com/
WICD-2018-02-Report-Vulnerability-Threat-18 Asset.html [21] R. Zhang, H. Ma, and Y. Lu, “Fine-grained access control system
[2] D. Lewis, “icloud data breach: Hacking and celebrity based on fully outsourced attribute-based encryption,” Journal of
photos,” Duo Security, Tech. Rep., September 2014. [Online]. Systems and Software, vol. 125, pp. 344–353, 2017.
Available: https://www.forbes.com/sites/davelewis/2014/09/ [22] S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data
02/icloud-data-breach-hacking-and-nude-celebrity-photos sharing with attribute revocation,” in Proceedings of the 5th
[3] T. Hunt, “Hacked dropbox login data of 68 million users is now for ACM symposium on information, computer and communications
sale on the dark web,” Tech. Rep., September 2016. [Online]. Avail- security, 2010, pp. 261–270.
able: https://www.troyhunt.com/the-dropbox-hack-is-real/ [23] (2020, April) owncloud - the leading opensource cloud
[4] “Amazon data leak,” ElevenPaths, Tech. Rep., November collaboration platform. [Online]. Available: https://owncloud.
2018. [Online]. Available: https://www.elevenpaths.com/ org/
amazon-data-leak/index.html [24] (2020, April) Openpgp implementation for javascript. [Online].
[5] K. Korosec, “Data breach exposes trade secrets of carmakers Available: https://github.com/openpgpjs/openpgpjs
gm, ford, tesla, toyota,” TechCrunch, Tech. Rep., July [25] E. Stark, M. Hamburg, and D. Boneh, “Symmetric cryptography in
2018. [Online]. Available: https://techcrunch.com/2018/07/20/ javascript,” in Computer Security Applications Conference, 2009.
data-breach-level-one-automakers/ ACSAC’09. Annual. IEEE, 2009, pp. 373–381.
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
14
[26] Y. Yuan, C.-M. Cheng, S. Kiyomoto, Y. Miyake, and T. Takagi, [47] A. Barth, C. Jackson, and J. C. Mitchell, “Securing frame commu-
“Portable implementation of lattice-based cryptography using nication in browsers,” Communications of the ACM, vol. 52, no. 6,
javascript,” International journal of networking and computing, pp. 83–91, 2009.
vol. 6, no. 2, pp. 309–327, 2016. [48] A. Barth, “The web origin concept,” Tech. Rep., 2011.
[27] H. Halpin, “The w3c web cryptography api: motivation and [49] M. Shigeo. (2020, April) A portable and fast pairing-based
overview,” in Proceedings of the 23rd International Conference cryptography library. [Online]. Available: https://github.com/
on World Wide Web. ACM, 2014, pp. 959–964. herumi/mcl
[28] A. Rangathan, “Web cryptography use-cases. working draft, w3c, [50] P. A. Grassi, J. L. Fenton, E. Newton, R. Perlner, A. Regen-
2013.” scheid, W. Burr, J. Richer, N. Lefkovitz, J. Danker, Y.-Y. Choong
[29] Z. Guan, Z. Cao, X. Zhao, R. Chen, Z. Chen, and X. Nan, “Webibc: et al., “Nist special publication 800-63b: Digital identity guide-
Identity based cryptography for client side security in web appli- lines,” Enrollment and Identity Proofing Requirements. url:
cations,” in Distributed Computing Systems, 2008. ICDCS’08. The https://pages. nist. gov/800-63-3/sp800-63a. html, 2017.
28th International Conference on. IEEE, 2008, pp. 689–696. [51] A. Beimel, “Secure schemes for secret sharing and key distribu-
tion,” Ph.D. dissertation, Technion-Israel Institute of technology,
[30] W. He, D. Akhawe, S. Jain, E. Shi, and D. Song, “Shadowcrypt: En- Faculty of computer science, 1996.
crypted web applications for everyone,” in Proceedings of the 2014 [52] H. Ma, R. Zhang, Z. Wan, Y. Lu, and S. Lin, “Verifiable and excul-
ACM SIGSAC Conference on Computer and Communications pable outsourced attribute-based encryption for access control in
Security, 2014, pp. 1028–1039. cloud computing,” IEEE Transactions on Dependable and Secure
[31] N. Attrapadung, G. Hanaoka, S. Mitsunari, Y. Sakai, K. Shimizu, Computing, vol. 14, no. 6, pp. 679–692, 2017.
and T. Teruya, “Efficient two-level homomorphic encryption in [53] H. Ma, R. Zhang, S. Sun, Z. Song, and G. Tan, “Server-aided fine-
prime-order bilinear groups and a fast implementation in we- grained access control mechanism with robust revocation in cloud
bassembly,” in Proceedings of the 2018 on Asia Conference on computing,” IEEE Transactions on Services Computing, pp. 1–1,
Computer and Communications Security, 2018, pp. 685–697. 2019.
[32] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in [54] A. Shamir, “How to share a secret,” Communications of the ACM,
Annual International Conference on the Theory and Applications vol. 22, no. 11, pp. 612–613, 1979.
of Cryptographic Techniques. Springer, 2005, pp. 457–473. [55] Y. Rouselakis and B. Waters, “Practical constructions and new
[33] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based proof methods for large universe attribute-based encryption,” in
encryption for fine-grained access control of encrypted data,” Proceedings of the 2013 ACM SIGSAC conference on Computer &
in Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2013, pp. 463–474.
communications security. Acm, 2006, pp. 89–98. [56] (2020, April) jquery file upload plugin. [Online]. Available:
[34] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption https://github.com/blueimp/jQuery-File-Upload
with non-monotonic access structures,” in Proceedings of the [57] (2020, April) Sabre/dav: the most popular webdav framework for
14th ACM conference on Computer and communications security. php. [Online]. Available: https://github.com/sabre-io/dav
ACM, 2007, pp. 195–203. [58] (2020, April) Electron: Build cross platform desktop apps
[35] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Wa- with javascript, html, and css. [Online]. Available: https:
ters, “Fully secure functional encryption: Attribute-based encryp- //www.electronjs.org/
tion and (hierarchical) inner product encryption,” in Annual
International Conference on the Theory and Applications of
Cryptographic Techniques. Springer, 2010, pp. 62–91. ACKNOWLEDGMENT
[36] T. Okamoto and K. Takashima, “Fully secure functional encryption The authors would like to thank the anonymous review-
with general relations from the decisional linear assumption,” in
Annual Cryptology Conference. Springer, 2010, pp. 191–208. ers for their valuable comments. This work was par-
[37] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy tially supported by National Natural Science Foundation
attribute-based encryption,” in 2007 IEEE symposium on security of China (Nos. 61772520, 61802392, 61972094, 61472416,
and privacy (SP’07). IEEE, 2007, pp. 321–334. 61632020), Key Research and Development Project of Zhe-
[38] L. Cheung and C. Newport, “Provably secure ciphertext policy
abe,” in Proceedings of the 14th ACM conference on Computer
jiang Province (Nos. 2017C01062, 2020C01078), Beijing Mu-
and communications security, 2007, pp. 456–465. nicipal Science & Technology Commission (Project Number.
[39] (2020, April) Indexeddb api. [Online]. Available: https:// Z191100007119007, Z191100007119002). Shuzhou Sun and
developer.mozilla.org/en-US/docs/Web/API/IndexedDB API Hui Ma contributed equally to this paper and are labeled
[40] A. Bhargav-Spantzel, A. C. Squicciarini, S. K. Modi, as co-frist authors. Corresponding author is Rui Zhang.
M. Young, E. Bertino, and S. J. Elliott, “Privacy
preserving multi-factor authentication with biometrics,” Journal
of Computer Security, vol. 15, no. 5, pp. 529–560,
2007. [Online]. Available: http://content.iospress.com/articles/ Shuzhou Sun received his B.E. degree in soft-
journal-of-computer-security/jcs292 ware engineering from the Nanjing University of
[41] A. P. Sabzevar and A. Stavrou, “Universal multi-factor authen- Aeronautics and Astronautics, Nanjing, China, in
tication using graphical passwords,” in 2008 IEEE International 2015. He is currently a PhD student in informa-
Conference on Signal Image Technology and Internet Based tion security with the the State Key Laboratory of
Systems. IEEE, 2008, pp. 625–632. Information Security, Institute of Information En-
[42] X. Huang, Y. Xiang, E. Bertino, J. Zhou, and L. Xu, “Robust gineering, Chinese Academy of Sciences, Bei-
multi-factor authentication for fragile communications,” IEEE jing, China. His research interests include ap-
Transactions on Dependable and Secure Computing, vol. 11, no. 6, plied cryptography and information security.
pp. 568–581, 2014.
[43] R. Zhang, Y. Xiao, S. Sun, and H. Ma, “Efficient multi-factor
authenticated key exchange scheme for mobile communications,”
IEEE Transactions on Dependable and Secure Computing, 2017.
Hui Ma received his B.E. degree in information
[44] Y. Sutcu, Q. Li, and N. Memon, “Design and analysis of fuzzy
security from Nanjing University of Aeronautics
extractors for faces,” Proceedings of SPIE - The International
and Astronautics, Nanjing, China, in 2012. He
Society for Optical Engineering, vol. 7306, 05 2009.
received his Ph.D. degree in information secu-
[45] J. Li, C. Jia, J. Li, and X. Chen, “Outsourcing encryption of rity from the Institute of Information Engineering,
attribute-based encryption with mapreduce,” in International Chinese Academy of Sciences, Beijing, China,
Conference on Information and Communications Security. in 2017. Now he is with Institute of Information
Springer, 2012, pp. 191–201. Engineering, Chinese Academy of Sciences as
[46] T. Dierks and E. Rescorla, “Rfc 5246,” The transport layer security an associate professor. His research interest in-
(TLS) protocol version, vol. 1, 2008. cludes applied cryptography and the security of
cloud computing.
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
15