Yin Zhang,Ling Xiong,Fagen Li,Xianhua Niu,Hanzhou Wu

DOI: https://doi.org/10.1016/j.sysarc.2023.102949

IF: 5.836

2023-01-01

Journal of Systems Architecture

Abstract:Blockchain-based authentication mode, a fundamental solution to prevent unauthorized access behavior, gradually becomes a focus in future distributed mobile cloud computing (MCC) services. However, due to the transparent and immutable characteristics of blockchain, users' access behaviors are facing huge security and privacy threats. Storing the encrypted data on chain is an effective way to address these issues, but access permission confirmation and update in the form of ciphertext is the main bottleneck. To this end, this paper proposes a blockchain-based unified authentication and hierarchical access control scheme for the MCC environment, which provides both privacy protection and auditability. In the proposed scheme, users can access multiple MCC services with different access permissions using a single credential. To protect the privacy of both users and service providers, while still supporting auditability, the data on the public ledger is blinded using Pedersen commitments. Besides, the proposed scheme provides flexible dynamic updating in encrypted form. Theoretical analysis indicates that the proposed scheme can meet various security and privacy requirements in the MCC environment. Compared with related schemes, it has better communication efficiency. Therefore, the proposed scheme is more suitable for the actual MCC environment.

Tianyi Zhu,Weidong Liu,Jiaxing Song

DOI: https://doi.org/10.1109/CIT.2011.36

2011-01-01

Abstract:coRBAC is a specifically optimized RBAC system for cloud computing environment. It inherits the existing RBAC's role model and dRBAC's domain model, optimizes and improves the access control system for services which are hosted on the cloud computing platform. coRBAC greatly improves the certification process and user experience by reducing the unnecessary process of establishing secure connection and setting up multi-level cache, reduces the space complexity and time complexity of access control system.

Yin Zhang,Ling Xiong,Fagen Li,Yukai Hao,Zhicai Liu

DOI: https://doi.org/10.1109/jiot.2024.3361506

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Blockchain-based authentication, as a distributed system, is a significant method to achieve secure service access and provision for the distributed mobile cloud computing (MCC) environment. However, owing to the transparency of blockchain, it remains a challenge to protect users’ access behavior from disclosure. Besides, billions of users in the MCC system may cause storage bottlenecks to the blockchain network. To overcome these challenges, this paper designs two blockchain-based privacy-preserving authentication schemes supporting hierarchical access control for the MCC environment. Both schemes allow users to access multiple services with different permissions after a single registration. To address the challenges of privacy disclosure, we use polynomial commitment to replace the plaintext on the blockchain. Meanwhile, a new verification and updating of the access permission method is proposed using the homomorphic property of polynomial commitment. The first scheme works toward reducing computation costs, which is more suitable for systems with a limited number of service providers (SPs). On the other hand, the second scheme aims to reduce the storage requirements of blockchain, and it provides more efficient hierarchical access control for large-scale scenarios without requiring more storage space. Then, the security analysis demonstrates that the two schemes satisfy multiple security requirements. Finally, a comparative summary is presented to show that our schemes have good performance in computation and communication efficiency and are well suited to the MCC system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Linsheng Yu,Mingxing He,Hongbin Liang,Ling Xiong,Yang Liu

DOI: https://doi.org/10.3390/s23031264

2023-01-22

Abstract:Authentication and authorization constitute the essential security component, access control, for preventing unauthorized access to cloud services in mobile cloud computing (MCC) environments. Traditional centralized access control models relying on third party trust face a critical challenge due to a high trust cost and single point of failure. Blockchain can achieve the distributed trust for access control designs in a mutual untrustworthy scenario, but it also leads to expensive storage overhead. Considering the above issues, this work constructed an authentication and authorization scheme based on blockchain that can provide a dynamic update of access permissions by utilizing the smart contract. Compared with the conventional authentication scheme, the proposed scheme integrates an extra authorization function without additional computation and communication costs in the authentication phase. To improve the storage efficiency and system scalability, only one transaction is required to be stored in blockchain to record a user's access privileges on different service providers (SPs). In addition, mobile users in the proposed scheme are able to register with an arbitrary SP once and then utilize the same credential to access different SPs with different access levels. The security analysis indicates that the proposed scheme is secure under the random oracle model. The performance analysis clearly shows that the proposed scheme possesses superior computation and communication efficiencies and requires a low blockchain storage capacity for accomplishing user registration and updates.

Hong Sun,Xueqin Zhang,Chunhua Gu

DOI: https://doi.org/10.14257/ijgdc.2014.7.3.01

2014-01-01

International Journal of Grid and Distributed Computing

Abstract:With the development of cloud computing, and as the basis of data services, security problems of cloud storage are growing more attention. Based on distributed storage, multidomain and multi-tenant characteristics, combined with access control technologies, this paper sets up the Role-based Access Control using Ontology and domians in Cloud Storage (DOnto_RBAC), which could provide a concise and effective strategy for service providers (isps). According to the characteristics of access control in cloud storage, based on the standards (called CDMI), this paper adds Domains and Time constraints of roles into RBAC. With ontology technologies and the OWL language, this paper establishes ontology model including entities' descriptions and strategies to realize reasoning of multi-domain access control permissions. We realized our system through Python and established Restful APIs. Experiments in campus-level cloud storage called Swift showed that, using requests with Restful format commands, DOnto_RBAC was proved to be effective to manage distributed and multi-domain data in cloud storage.

Ye Lu,Tao Feng,Chunyan Liu,Wenbo Zhang

DOI: https://doi.org/10.32604/cmc.2023.046106

2024-01-01

Abstract:The Access control scheme is an effective method to protect user data privacy. The access control scheme based on blockchain and ciphertext policy attribute encryption (CP–ABE) can solve the problems of single—point of failure and lack of trust in the centralized system. However, it also brings new problems to the health information in the cloud storage environment, such as attribute leakage, low consensus efficiency, complex permission updates, and so on. This paper proposes an access control scheme with fine-grained attribute revocation, keyword search, and traceability of the attribute private key distribution process. Blockchain technology tracks the authorization of attribute private keys. The credit scoring method improves the Raft protocol in consensus efficiency. Besides, the interplanetary file system (IPFS) addresses the capacity deficit of blockchain. Under the premise of hiding policy, the research proposes a fine-grained access control method based on users, user attributes, and file structure. It optimizes the data-sharing mode. At the same time, Proxy Re-Encryption (PRE) technology is used to update the access rights. The proposed scheme proved to be secure. Comparative analysis and experimental results show that the proposed scheme has higher efficiency and more functions. It can meet the needs of medical institutions.

computer science, information systems,materials science, multidisciplinary

MyeongHyun Kim,SungJin Yu,JoonYoung Lee,YoHan Park,YoungHo Park

DOI: https://doi.org/10.3390/s20102913

IF: 3.9

2020-05-21

Sensors

Abstract:In the traditional electronic health record (EHR) management system, each medical service center manages their own health records, respectively, which are difficult to share on the different medical platforms. Recently, blockchain technology is one of the popular alternatives to enable medical service centers based on different platforms to share EHRs. However, it is hard to store whole EHR data in blockchain because of the size and the price of blockchain. To resolve this problem, cloud computing is considered as a promising solution. Cloud computing offers advantageous properties such as storage availability and scalability. Unfortunately, the EHR system with cloud computing can be vulnerable to various attacks because the sensitive data is sent over a public channel. We propose the secure protocol for cloud-assisted EHR system using blockchain. In the proposed scheme, blockchain technology is used to provide data integrity and access control using log transactions and the cloud server stores and manages the patient’s EHRs to provide secure storage resources. We use an elliptic curve cryptosystems (ECC) to provide secure health data sharing with cloud computing. We demonstrate that the proposed EHR system can prevent various attacks by using informal security analysis and automated validation of internet security protocols and applications (AVISPA) simulation. Furthermore, we prove that the proposed EHR system provides secure mutual authentication using BAN logic analysis. We then compare the computation overhead, communication overhead, and security properties with existing schemes. Consequently, the proposed EHR system is suitable for the practical healthcare system considering security and efficiency.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Zhiqiang Du,Wenlong Jiang,Chenguang Tian,Xiaofeng Rong,Yuchao She

DOI: https://doi.org/10.3390/electronics12092140

IF: 2.9

2023-05-08

Electronics

Abstract:Cloud computing is a disruptive technology that has transformed the way people access and utilize computing resources. Due to the diversity of services and complexity of environments, there is widespread interest in how to securely and efficiently authenticate users under the same domain. However, many traditional authentication methods involve untrusted third parties or overly centralized central authorities, which can compromise the security of the system. Therefore, it is crucial to establish secure authentication channels within trusted domains. In this context, we propose a secure and efficient authentication protocol, HIDA (Hyperledger Fabric Identity Authentication), for the cloud computing environment. Specifically, by introducing federated chain technology to securely isolate entities in the trust domain, and combining it with zero-knowledge proof technology, users' data are further secured. In addition, Subsequent Access Management allows users to prove their identity by revealing only brief credentials, greatly improving the efficiency of access. To ensure the security of the protocol, we performed a formal semantic analysis and proved that it can effectively protect against various attacks. At the same time, we conducted ten simulations to prove that the protocol is efficient and reliable in practical applications. The research results in this paper can provide new ideas and technical support for identity authentication in a cloud environment and provide a useful reference for realizing the authentication problem in cloud computing application scenarios.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yogesh M Gajmal,R. Udayakumar

DOI: https://doi.org/10.13052/jwe1540-9589.2054

2021-08-30

Journal of Web Engineering

Abstract:Access control is a major factor in enhancing data security in the cloud storage system. However, the existing data sharing and the access control method have privacy data leakage and key abuse, which is a major challenge in the research community. Therefore, an effective method named Blockchain-based access control and data sharing approach is developed in the cloud storage system to increase data security. The proposed Blockchain-based access control and data sharing approach effectively solve single-point failure in the cloud system. It provides more benefits by increasing the throughput and reducing the cost. The Data user (DU) makes the registration request using the ID and password and forwards it to the Data Owner (DO), which processes the request and authenticates the Data user. The information of the data owner is embedded in the transactional blockchain using the encrypted master key. The Data owner achieves the data encryption process, and encrypted files are uploaded to the Interplanetary File System (IPFS). Based on the encrypted file location and encrypted key, the Data owner generates the ciphertext metadata and is embedded in the transactional blockchain. The proposed Blockchain-based access control and data sharing approach achieved better performance using the metrics, like a better genuine user detection rate of 95% and lower responsiveness of 25sec with the blockchain of 100 sizes.

computer science, theory & methods, software engineering

Xuanmei Qin,Yongfeng Huang,Zhen Yang,Xing Li

DOI: https://doi.org/10.1016/j.sysarc.2020.101854

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:Ciphertext-policy attribute-based encryption(CP-ABE) has been widely studied and used in access control schemes for secure data sharing. Since in most of the existing attribute-based encryption methods, all user attributes are managed by a single central authority, it is easy to cause a single point of failure. Therefore, several multi-authority CP-ABE schemes are proposed to manage user attributes by multiple authorities. However, these schemes still do not eliminate the single point of failure in essence or suffer from high computation and communication overhead on data users. In this paper, we propose a Blockchain-based Multi-authority Access Control scheme called BMAC for sharing data securely. Shamir secret sharing scheme and permissioned blockchain (Hyperledger Fabric) are introduced to implement that each attribute is jointly managed by multiple authorities to avoid single point of failure. In addition, we take advantage of blockchain technology to establish trust among multiple authorities and exploit smart contracts to compute tokens for attributes managed across multiple management domains, which reduces communication and computation overhead on the data user side. Moreover, blockchain helps to record the access control process in a secure and auditable way. Finally, we analyze the security of the proposed algorithm. Further analysis and comparison show the performance of the proposed method.

Priyanka Kamboj,Shivang Khare,Sujata Pal

DOI: https://doi.org/10.1007/s12083-021-01150-1

2021-04-28

Abstract:Since the last few decades, information security has become a significant challenge for organizations' system administrators. However, the Role-Based Access Control (RBAC) model has emerged as a viable solution for organizations to meet the security requirement due to its less administrative overhead. Blockchain technology is distributive and can be used effectively in user authentication and authorization challenges. This paper proposes an RBAC model using a blockchain-based smart contract for managing user-role permissions in the organization. We design a threat and security model to resist attacks such as man-in-the-middle attacks in an organization scenario. The proposed approach uses the Ethereum blockchain platform and its smart contract functionalities to model user-resource communications. The proposed method is tested on Ropsten Ethereum Test Network and evaluated to analyze user authentication, verification, cost, and security.

computer science, information systems,telecommunications

Tang Bo,Li Qi,Sandhu Ravi

DOI: https://doi.org/10.1109/PST.2013.6596058

2013-01-01

Abstract:Most cloud services are built with multi-tenancy which enables data and configuration segregation upon shared infrastructures. In this setting, a tenant temporarily uses a piece of virtually dedicated software, platform, or infrastructure. To fully benefit from the cloud, tenants are seeking to build controlled and secure collaboration with each other. In this paper, we propose a Multi-Tenant Role-Based Access Control (MT-RBAC) model family which aims to provide fine-grained authorization in collaborative cloud environments by building trust relations among tenants. With an established trust relation in MT-RBAC, the trustee can precisely authorize cross-tenant accesses to the truster's resources consistent with constraints over the trust relation and other components designated by the truster. The users in the trustee may restrictively inherit permissions from the truster so that multi-tenant collaboration is securely enabled. Using SUN's XACML library, we prototype MT-RBAC models on a novel Authorization as a Service (AaaS) platform with the Joyent commercial cloud system. The performance and scalability metrics are evaluated with respect to an open source cloud storage system. The results show that our prototype incurs only 0.016 second authorization delay for end users on average and is scalable in cloud environments.

Suhui Liu,Jiguo Yu,Liquan Chen,Baobao Chai

DOI: https://doi.org/10.1109/tnsm.2022.3185237

2022-01-01

IEEE Transactions on Network and Service Management

Abstract:Public clouds have drawn increasing attention from academia and industry due to their high computational and storage performance. Attribute-based encryption (ABE) is the most promising technology to simultaneously achieve confidentiality and fine-grained access control of the cloud-stored data. However, traditional ABE that relies on centralized authority faces several key management issues, such as the key escrow, key distribution, key tracking, key update, and heavy communication and computing overhead for users, which will cause security concerns and impede its widespread application. On the other hand, blockchain technology preserves distributed ledgers to ensure the immutability and transparency of data, which can further solve the security vulnerabilities caused by system centralization. This paper proposes a blockchain-assisted transformation method to solve all the key management problems mentioned above in ciphertext-policy ABE by utilizing technologies such as secret sharing protocols. In addition, our transformation method realizes two additional benefits: outsourced decryption and efficient user revocation, which are extremely valuable for practical implementations. We simulate a demonstration by adopting the most popular permissioned blockchain, Hyperledger Fabric. The security and efficiency analysis reveals that the scheme obtained from our transformation method can achieve replayable chosen-ciphertext security with extremely efficient decryption.

computer science, information systems

Shuixiang Li,Ruixuan Li,Yu Zhang,Yongfeng Huang

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00093

2020-01-01

Abstract:The proliferation of mobile smartphones and the Internet has enabled people to stay online, gradually changing how people live and work. Particularly during epidemic isolation, people are more likely to communicate online via the Internet. Limited by the storage capacity and network bandwidth of mobile terminals, users are more likely to use the cloud to store and share data. However, data stored by centralized cloud services in a semi-trusted environment is at risk of being compromised, and most systems use cryptographic access control for the data, which failed to achieve fine-grained access control. In this paper, we propose a data access control system based on cloud and blockchain integration (CBI), which takes the decentralized, tamper-proof characteristics of blockchain and combines the advantages of cloud storage to design a novel integrated architecture, and designed a CBI-CP-ABE algorithm to implement attribute-based encryption for fine-grained access control. Experiments show that our proposed solution has similar performance to traditional data access control systems, and users have higher control and management rights over their data in the cloud so that they can store and share data more securely and keep track of their data usage.

Mingxin Ma,Guozhen Shi,Fenghua Li

DOI: https://doi.org/10.1109/access.2019.2904042

IF: 3.9

2019-01-01

IEEE Access

Abstract:The rapid development of the Internet of Things (IoT) and the explosive growth of valuable data produced by user equipment have led to strong demand for access control, especially hierarchical access control, which is performed from a group communication perspective. However, the key management strategies for such a future Internet are based mostly on a trusted third party that requires full trust of the key generation center (KGC) or central authority (CA). Recent studies indicate that centralized cloud centers will be unlikely to deliver satisfactory services to customers because we place too much trust in third parties; therefore, these centers do not apply to user privacy-oriented scenarios. This paper addresses these issues by proposing a novel blockchain-based distributed key management architecture (BDKMA) with fog computing to reduce latency and multiblockchains operated in the cloud to achieve cross-domain access. The proposed scheme utilizes blockchain technology to satisfy the decentralization, fine-grained auditability, high scalability, and extensibility requirements, as well as the privacy-preserving principles for hierarchical access control in IoT. We designed system operations methods and introduced different authorization assignment modes and group access patterns to reinforce the extensibility. We evaluated the performance of our proposed architecture and compared it with existing models using various performance measures. The simulation results show that the multiblockchain structure substantially improves system performance, and the scalability is excellent as the network size increases. Furthermore, dynamic transaction collection time adjustment enables the performance and system capacity to be optimized for various environments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhang Xiantao,Li Qi,Qing Sihan,Zhang Huanguo,Zhang Liqiang

DOI: https://doi.org/10.1109/ISCIT.2007.4392214

2007-01-01

Abstract:Role-based Access Control (RBAC) become an important techniques to secure e-commerce systems during recent years. However, RBAC management issue is still an unresolved problem. Moreover, with the development of IT technologies in many departments, there emerge many group communications which require dynamic user-role assignments. In these scenarios it is infeasible for few security officers to administrate the assignment for local variant applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. We also present an administration model of our PBAC model to address the management issues in traditional RBAC systems. As one of the main contributions, this paper proposes a decentralized administration model by introducing a component of group assignment to implement a novel user authorization mechanism and a new user-role assignment (UA) approach which provides a two-level administration for user and role management through the concept of group. Our model can be applied for the current group communication applications with dynamic assignments where typically local administrators take charge of the dynamic assignments. In this way, many administrative tasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-concept we implemented a prototype in Xen virtualization environment based on our proposed model to secure real distributed applications.

Ruhi Gupta

DOI: https://doi.org/10.48550/arXiv.1403.2043

2014-03-09

Distributed, Parallel, and Cluster Computing

Abstract:Cloud Computing is flourishing day by day and it will continue in developing phase until computers and internet era is in existence. While dealing with cloud computing, a number of security and traffic related issues are confronted. Load Balancing is one of the answers to these issues. RBAC deals with such an answer. The proposed technique involves the hybrid of FCFS with RBAC technique. RBAC will assign roles to the clients and clients with a particular role can only access the particular document. Hence identity management and access management are fully implemented using this technique.

Sathish Chander Krishnan

DOI: https://doi.org/10.1016/j.future.2024.04.054

IF: 7.307

2024-05-19

Future Generation Computer Systems

Abstract:– The Internet of Things is susceptible to seepage of private information during the data sharing. To circumvent this problem, access control and secure data sharing have been familiarized in cloud- IoT which is prevalent now days due to it storage and data access services. An intrusion detection implementation defends the veracity of the data sharing confining record are stored in a data base by recognizing when something changed unpredictably so that security and privacy are major anxieties. Therefore, it is crucial to develop the security apparatus that perceive and mitigate any feasible attack in cloud security services. In this paper, we proposed secure access control method with two-fold revocation for ensuring cloud computing security by hybrid blockchain (AI-Hybrid chain). Initially, all the users and services are registered their credentials to Secure Agent (SA) and provides image-based user authentication. Then, SA provides a long-term secret key which is generated by Improved Advanced Encryption Standard (IAES) algorithm, both user and service credentials are encrypted and stored in cloud chain. After that, gateway verifies the incoming requests are legitimate or illegitimate. For verifying the incoming packets, the proposed work utilizes Di-Fuzzy Inference System (Di-FIS) based on effective metrics. Further, legitimate request is optimally classified as sensitive and non-sensitive request for achieving secure service allocation using Tomtit Flock Optimization algorithm (TFO) based on optimal features. Once the service is allocated to users, we perform novel access control mechanism based on role and attribute of the users, the trust can be validated using Transfer Learning based Double Deep Q Network (TL-DDQN). Furthermore, virtual firewall is deployed in the cloud environment for analyzing the user storage request traffic as normal validated using Transfer Learning based Double Deep Q Network (TL-DDQN). Furthermore, virtual firewall is deployed in the cloud environment for analyzing the user storage request traffic as normal and malicious based on Contractive Residual Network (Con-ResNet). The implementation of proposed work is conducted by Network Simulator – 3.26 and the performance of the proposed AI-Hybrid chain model is itemized based on various performance metrics in terms of attack detection rate, overhead, success ratio, throughput, traffic rate, delay, response time and unauthorized access.

computer science, theory & methods

SHEN Qing-ni,YANG Ya-hui,YU Xi,ZHANG Li-zhe,CHEN Zhong

2011-01-01

Abstract:Cloud Storage is a multi-tenancy shared environment,so achieving data separation between different users effectively in the platform has become one of issues most concerned by users.In this paper,we provide business users a flexible access control policy,which is built on top of RBAC(Role-based Access Control),combined with organization label and a variety of security attributes with logical combinations.First of all,it provides strict inter-enterprise data isolation on cloud storage,ensuring that business users could not access data which doesn't belong to their organization.Moreover,it provides proper separation of organization internal data.Business users could customize the policy flexibly according to their own security requirements,isolating data from different sectors or geographical area.Finally,the policy provides a mechanism for corporations to share data on cloud storage by introducing the concept of "virtual organization",and guarantee companies with the same conflict set of interest could not be allowed to share data through traditional Chinese Wall Policy.This paper presents the design and implementation of a prototype based Hadoop distributed file system(HDFS),including security label,security policy,security decision module,enforcement procedure of security decision and user command interface.Then it analyzes the effectiveness and performance of the security mechanisms with experiments.The result shows that the policy meets the security requirement well and loss of system run-time performance is within an acceptable range.