Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Kan Yang,Xiaohua Jia,Kui Ren

DOI: https://doi.org/10.1145/2484313.2484383

2013-01-01

Abstract:A cloud storage service allows data owner to outsource their data to the cloud and through which provide the data access to the users. Because the cloud server and the data owner are not in the same trust domain, the semi-trusted cloud server cannot be relied to enforce the access policy. To address this challenge, traditional methods usually require the data owner to encrypt the data and deliver decryption keys to authorized users. These methods, however, normally involve complicated key management and high overhead on data owner. In this paper, we design an access control framework for cloud storage systems that achieves fine-grained access control based on an adapted Ciphertext-Policy Attribute-based Encryption (CP-ABE) approach. In the proposed scheme, an efficient attribute revocation method is proposed to cope with the dynamic changes of users' access privileges in large-scale systems. The analysis shows that the proposed access control scheme is provably secure in the random oracle model and efficient to be applied into practice.

Jin Li,Gansen Zhao,Xiaofeng Chen,Dongqing Xie,Chunming Rong,Wenjun Li,Lianzhang Tang,Yong Tang

DOI: https://doi.org/10.1109/cloudcom.2010.44

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which IT resources and capacities are provided as services over the Internet. Promising as it is, this paradigm also brings forth new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are likely outside of the same trust domain of data owners. To maintain the confidentiality of, sensitive user data against untrusted servers, existing work usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. In this paper, we present a way to implement, scalable and fine-grained access control systems based on attribute-based encryption (ABE). For the purpose of secure access control in cloud computing, the prevention of illegal key sharing among colluding users is missing from the existing access control systems based on ABE. This paper addresses this challenging open issue by defining and enforcing access policies based on data attributes and implementing user accountability by using traitor tracing. Furthermore, both the user grant and revocation are efficiently supported by using the broadcast encryption technique. Extensive analysis shows that the proposed scheme is highly efficient and provably secure under existing security models.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.14257/ijsia.2016.10.10.27

2016-01-01

International Journal of Security and Its Applications

Abstract:Nowadays, more and more users outsource their data to third party cloud storage servers for the purpose of sharing, so cloud data sharing becomes one of the popular services offered by cloud service providers. However, the third party storage servers in cloud data sharing systems, which are not fully trusted by data owners, make access control to the shared data a challenging issue. Although Ciphertext-Policy AttributeBased Encryption (CP-ABE) is an emerging cryptographic solution for this issue, dealing with dynamic changes to users' access privileges (attribute revocation) in its practical applications as cloud data sharing systems is a real challenge. To overcome this challenge, we propose a fine-grained access control scheme for cloud data sharing systems by designing secure and efficient attribute-revocable CP-ABE scheme. Our scheme only allows non-revoked users in the attribute group to update their secret key by themselves using their unique key-update keys and the ciphertexts are updated by minimally trusted cloud server using a ciphertext-update key. Compared with the existing access controls achieved by attribute-revocable CP-ABE schemes, our proposed access control scheme reduces the trust degree of the cloud server in the attribute revocation mechanism. Furthermore, the analysis indicates that our access control scheme is more secure and efficient to apply to practical scenarios.

Guojun Wang,Qin Liu,Jie Wu,Minyi Guo

DOI: https://doi.org/10.1016/j.cose.2011.05.006

IF: 5.105

2011-01-01

Computers & Security

Abstract:With rapid development of cloud computing, more and more enterprises will outsource their sensitive data for sharing in a cloud. To keep the shared data confidential against untrusted cloud service providers (CSPs), a natural way is to store only the encrypted data in a cloud. The key problems of this approach include establishing access control for the encrypted data, and revoking the access rights from users when they are no longer authorized to access the encrypted data. This paper aims to solve both problems. First, we propose a hierarchical attribute-based encryption scheme (HABE) by combining a hierarchical identity-based encryption (HIBE) system and a ciphertext-policy attribute-based encryption (CP-ABE) system, so as to provide not only fine-grained access control, but also full delegation and high performance. Then, we propose a scalable revocation scheme by applying proxy re-encryption (PRE) and lazy re-encryption (LRE) to the HABE scheme, so as to efficiently revoke access rights from users.

Xiaoyu Li,Shaohua Tang,Lingling Xu,Huaqun Wang,Jie Chen

DOI: https://doi.org/10.1109/access.2016.2609884

IF: 3.9

2016-01-01

IEEE Access

Abstract:Attribute-based encryption, especially for ciphertext-policy attribute-based encryption, can fulfill the functionality of fine-grained access control in cloud storage systems. Since users' attributes may be issued by multiple attribute authorities, multi-authority ciphertext-policy attribute-based encryption is an emerging cryptographic primitive for enforcing attribute-based access control on outsourced data. However, most of the existing multi-authority attribute-based systems are either insecure in attribute-level revocation or lack of efficiency in communication overhead and computation cost. In this paper, we propose an attribute-based access control scheme with two-factor protection for multi-authority cloud storage systems. In our proposed scheme, any user can recover the outsourced data if and only if this user holds sufficient attribute secret keys with respect to the access policy and authorization key in regard to the outsourced data. In addition, the proposed scheme enjoys the properties of constant-size ciphertext and small computation cost. Besides supporting the attribute-level revocation, our proposed scheme allows data owner to carry out the user-level revocation. The security analysis, performance comparisons, and experimental results indicate that our proposed scheme is not only secure but also practical.

Dongyang Xu,Fengying Luo,Lin Gao,Zhi Tang

DOI: https://doi.org/10.1109/intech.2013.6653703

2013-01-01

Abstract:With the rapid development of cloud computing, more and more users begin to share documents in cloud servers. Since cloud servers are not within the trusted domain of users, encryption and access control are needed to protect the digital content. Attribute-based encryption is a favorable scheme that has been used for content protection in cloud computing. It can provide “one-to-many” encryption service so that one encrypted file can be decrypted by multiple prospective recipients whose attributes conform to the access policy. Currently, all existing attribute-based encryption schemes assume that the digital content and authorized users are equally privileged; however, there are emerging application scenarios that demand digital content and users with different privileges. In this paper, we present a new attribute-based encryption scheme that can generate security keys of different class for users by integrating ciphertext-policy attribute-based encryption and hierarchical cryptographic key management. Thus, we achieve the fine-grained document sharing which means that users can preview the same document with different privileges. We use hierarchical keys derived from a chain of one-way functions. Extensive analysis shows that our proposed scheme is simple, efficient and secure. The proposed scheme can provide “one-fits-many” encryption service.

Xinfeng Ye,Bakh Khoussainov

DOI: https://doi.org/10.1504/IJGUC.2013.056252

2013-01-01

Abstract:Fine-grained access control schemes are commonly used in cloud computing. In this type of schemes, each data item is given its own access control policy. The entity that wants to access the data item needs to provide its credentials to a policy enforcer. In a cloud environment, normally, the policy enforcer is not the owner of the data. The access control policies and the credentials might reveal some information that the policy enforcer is not entitled to know. This paper proposes a fine-grained access control scheme. It prevents the policy enforcers from comprehending the access control policies and the entities' credentials by using cryptographic techniques. Compared with the existing schemes, the proposed scheme provides higher level privacy.

Jian Wang,Chunxiao Ye,Yangfei Ou

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00092

2019-01-01

Abstract:Cloud computing have brought a lot of advantages, such as reducing the hardware cost and providing a convenient cloud storage service. More and more people choose to put their private data in the cloud. However, due to data outsourcing and seminal-trusted cloud servers, data access control has becoming a challenging issue. To protect data security and privacy, some ciphertext policy attribute-based encryption (CP-ABE) schemes have been applied to cloud data access control. However, there are two dynamic issues, namely attribute revocation and policy updating, that need to be solved in the existing CP-ABE schemes. In this paper, we propose a fine-grained dynamic multi-authority cloud data access control scheme, which can solve the above two problems. Besides, our scheme can also support user revocation, which make it more practical. The analysis and simulation results show that our scheme is secure in the random oracle model and is efficient.

Jingwei Li,Jin Li,Xiaofeng Chen,Chunfu Jia,Zheli Liu

DOI: https://doi.org/10.1007/978-3-642-34601-9_37

2012-01-01

Abstract:As cloud computing becomes prevalent, more and more sensitive information is being centralized into the cloud, which raises a new challenge on how to efficiently share the outsourced data in a fine-grained manner. Although searchable encryption allows for privacy-preserving keyword search over encrypted data in public cloud, it could not work effectively for supporting fine-grained access control over encrypted data simultaneously. In this paper, we consider to tackle the challenge above under a hybrid architecture in which a private cloud is introduced as an access interface between users and public cloud. We firstly propose a basic scheme allowing both exact keyword search and fine-grained access control over encrypted data. Furthermore, an advanced scheme supporting fuzzy keyword search is presented. In both schemes, overhead computation is securely outsourced to private cloud but only left behind the file encryption and decryption at user side. Finally, we demonstrate approaches to realize outsourcing cryptographic access control mechanism and further relieve the computational cost at user side.

Xin Liu,Hao Wang,Bo Zhang,Bin Zhang

DOI: https://doi.org/10.1016/j.ins.2021.10.038

IF: 8.1

2022-01-01

Information Sciences

Abstract:In a data access control system oriented toward the cloud storage environment, a data owner defines attribute-based access control policies for data files to realize fine-grained data sharing. However, the existing schemes have defects in user execution efficiency and user privacy protection, and they do not consider the problems of user revocation and attribute updates. To this end, we propose a ciphertext policy attribute-based encryption method with verifiable outsourced decryption; this requires a user to complete decryption with the help of a server, but the results of the outsourced decryption can be verified independently. With this new encryption scheme and the technique of k-times anonymous authentication, a new fine-grained data access control system was constructed; this system allows a server to provide users with outsourced decryption services, and users’ computation cost is independent of the size of the underlying access control policy. Moreover, the number of outsourced decryption requests is limited. In addition, the new system supports user revocation and attribute updates and it is provably secure under formal proofs. An efficiency analysis shows that it can be compared with other similar systems in terms of performance, despite the addition of several practical properties.

computer science, information systems

Zhusong Liu,Hongyang Yan,Zhiqiang Lin,Lingling Xu

DOI: https://doi.org/10.3217/jucs-021-03-0454

2015-01-01

Abstract:Cloud computing is an emerging computing paradigm that can provide storage resources and computing capacities services over the Internet. However, some new security issues arise when users' sensitive data are outsourced and shared in untrusted cloud. The traditional techniques to protect the confidentiality of sensitive data stored in cloud are encryption and related cryptographic tools. And the corresponding private keys to access and decrypt the files are disclosed to only authorized users. However, these traditional solutions are not scalable because the computational cost of encryption and other access control is heavy for devices with limited computation ability.In this paper, we present a new way to implement scalable and fine-grained access control systems, which can be applied for big data in untrusted cloud computing environment. The solution is based on symmetric, efficient broadcast encryption and fine-grained attribute-based encryption (ABE). In this access control system, users are able to join and revoked with broadcast encryption. An outsourced Hierarchical ABE scheme is first proposed in this paper to construct the access control system. The security analysis is also presented under the security model.

Ran Yang,Chuang Lin,Yixin Jiang

DOI: https://doi.org/10.1109/icc.2012.6364473

2012-01-01

Abstract:In cloud computing, the sensitive data are required to be encrypted before being outsourced to the server, which introduce a heavy computation overhead for key derivation and data management when dynamic hierarchical access control is desired. In this paper, we address this challenging problem by delegating the computation intensive task, such as data re-encryption, key distribution and derivation to cloud servers. Only bilinear pairing and random padding are used in our construction. Extensive analysis shows that the proposed scheme achieves scalability and dynamic simultaneously, and is proved to be secure formally.

Chong Wang,Hao Jin,Ronglei Wei,Ke Zhou

DOI: https://doi.org/10.1007/s11227-021-04277-3

IF: 3.3

2022-01-20

The Journal of Supercomputing

Abstract:Attribute-based encryption(ABE) can enable user-centered data sharing in untrusted cloud scenario where users usually lack control on their outsourced data. However, existing ABE schemes have intrinsic limitations on scalability and revocation efficiency due to the bottleneck of a central authority and heavy re-encryption overhead on revocations. In this paper, we present a revocable decentralized attribute-based encryption scheme for data access control in cloud storage. In particular, by integrating decentralized attribute-based encryption, key regression technique, all-or-nothing transform, revocation list for involved attributes, and blacklist in a novel way, we provide a revocable ABE scheme with practical dynamic group membership and identity privacy protection, and meanwhile, it enhances the re-encryption efficiency caused by revocations without sacrificing security. We analyzed the security of our scheme. The experimental evaluation demonstrates that the cryptographic overhead on key derivation, encryption(decryption), and ABE ciphertext update are reasonable, and for the throughput of accessing encrypted data from the cloud, our scheme outperforms other schemes.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Jialu Hao,Cheng Huang,Jian Liu,Ming Xian,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/glocom.2018.8647659

2018-01-01

Abstract:Data owners have benefited significantly from cloud computing for managing the numerous data produced by massive devices in various Internet of Things (IoT) applications, such as smart home and electronic healthcare. On the other hand, fine-grained access control on outsourced data is a big concern for data owners, after they lose physical control over their data. Key-policy attribute-based encryption (KP-ABE), which provides data confidentiality and fine-grained data access control simultaneously, can be naturally introduced in this cloud-based IoT paradigm. However, the primitive KP-ABE cannot achieve efficient data access control with flexible user revocation. In this paper, we propose an efficient and fine-grained data access control scheme based on the proxy re-encryption and key blinding techniques for cloud-based IoT. With the scheme, the decryption capability of misbehaving users can be efficiently revoked to prevent data disclosure. In addition, most of the costly update operations over ciphertexts and keys due to user revocation, are delegated to the cloud. Extensive experiment results demonstrate that our scheme is more efficient than existing solutions in terms of computation and communication overheads.

Yinghui Zhang,Xiaofeng Chen,Jin Li,Hui Li,Fenghua Li

DOI: https://doi.org/10.3837/tiis.2014.11.021

2014-01-01

Abstract:Attribute-based encryption (ABE) is a promising cryptographic primitive for implementing fine-grained data sharing in cloud computing. However, before ABE can be widely deployed in practical cloud storage systems, a challenging issue with regard to attributes and user revocation has to be addressed. To our knowledge, most of the existing ABE schemes fail to support flexible and direct revocation owing to the burdensome update of attribute secret keys and all the ciphertexts. Aiming at tackling the challenge above, we formalize the notion of ciphertext-policy ABE supporting flexible and direct revocation (FDR-CP-ABE), and present a concrete construction. The proposed scheme supports direct attribute and user revocation. To achieve this goal, we introduce an auxiliary function to determine the ciphertexts involved in revocation events, and then only update these involved ciphertexts by adopting the technique of broadcast encryption. Furthermore, our construction is proven secure in the standard model. Theoretical analysis and experimental results indicate that FDR-CP-ABE outperforms the previous revocation-related methods.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.11989/jest.1674-862x.5121616

2017-01-01

Journal of Electronic Science and Technology

Abstract:Nowadays, there is the tendency to outsource data to cloud storage servers for data sharing purposes. In fact, this makes access control for the outsourced data a challenging issue. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic solution for this challenge. It gives the data owner (DO) direct control on access policy and enforces the access policy cryptographically. However, the practical application of CP-ABE in the data sharing service also has its own inherent challenge with regard to attribute revocation. To address this challenge, we proposed an attribute-revocable CP-ABE scheme by taking advantages of the over-encryption mechanism and CP-ABE scheme and by considering the semi-trusted cloud service provider (CSP) that participates in decryption processes to issue decryption tokens for authorized users. We further presented the security and performance analysis in order to assess the effectiveness of the scheme. As compared with the existing attribute-revocable CP-ABE schemes, our attribute-revocable scheme is reasonably efficient and more secure to enable attribute-based access control over the outsourced data in the cloud data sharing service.

Hua Deng,Zheng Qin,Qianhong Wu,Robert H. Deng,Zhenyu Guan,Yupeng Hu,Fangmin Li

DOI: https://doi.org/10.1109/tdsc.2022.3153467

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Cloud computing has become an increasingly popular option for users to store and share data. Encryption prior to outsourcing data to the cloud is the best way to protect data security and privacy; however, it hinders sharing of the data that was encrypted. In addition, users in many real-world organizations (e.g., enterprises) have multiple level structures and a higher-level user should have the privilege to decide which data can be shared with a lower-level user. Most solutions in the literature suffer from inefficiency or inflexibility in tackling this problem. In this article, we propose a fine-grained hierarchical data sharing (FHDS) scheme in clouds. With FHDS, the data owner can encrypt data with his public key, and then selectively share encrypted data with users in a hierarchy; if necessary, the users can disseminate the owner's data to their subordinates in the lower levels by generating access keys. In particular, the higher-level users could puncture the keys with some tags such that the part of the owner's data which is labeled by the punctured tags will not be accessible to the lower-level users. The proposed scheme is provable secure under our security model and performance analyses show the efficiency of the scheme.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.1109/cbd.2016.041

2016-01-01

Abstract:With the development and benefits of cloud computing, nowadays more and more users outsource their data to third party cloud storage servers for ease of sharing and cost saving. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is a promising tool for enabling fine-grained access control over the shared data in the cloud. However, the practical application of CP-ABE in cloud data sharing system also has its own inherent challenge to regard with user revocation. To address this challenge, the paper proposes a CP-ABE scheme which supports an effective user revocation mechanism by introducing "the essential attribute" and by considering minimally trusted proxy servers; the essential attribute must be included in both ciphertext and update-key. By excluding the revoked users from update-key (which is a part of a decryption key) and by re-encrypting the only component in ciphertexts, which is associated with the essential attribute, our scheme achieves immediate and complete user revocation mechanism in CP-ABE. The proposed scheme enables a scalable and fine-grained access control for cloud data sharing system. Our scheme provides more efficiency and security level simultaneously comparing to the existing user revocable CP-ABE scheme.