Hongyi Su,Geng Yang,and Dawei Li

2011-01-01

Abstract:Data storage is an important application of cloud computing. With a cloud computing platform, the burden of local data storage can be reduced. However, services and applications in a cloud may come from different providers, and creating an efficient protocol to protect privacy is critical. We propose a verification protocol for cloud database entries that protects against untrusted service providers. Based on identity-based encryption （IBE） for cloud storage, this protocol guards against breaches of privacy in cloud storage. It prevents service providers from easily constructing cloud storage and forging the signature of data owners by secret sharing. Simulation results confirm the availability and efficiency of the proposed protocol.

Kai Fan,Qiong Tian,Nana Huang,Yue Wang,Hui Li,Yintang Yang

DOI: https://doi.org/10.1109/iccchina.2016.7636861

2016-01-01

Abstract:With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issue. In this paper, we present an access control system with privilege separation based on privacy protection（PS-ACS）. In the PS-ACS scheme, we divide users into private domain（PRD） and public domain（PUD） logically. In PRD, to achieve read access permission and write access permission, we adopt the Key-Aggregate Encryption（KAE） and the Improved Attribute-based Signature（IABS） respectively. In PUD, we construct a new multi-authority ciphertext policy attribute-based encryption（CP-ABE） scheme with efficient decryption to avoid the issues of single point of failure and complicated key distribution, and design an efficient attribute revocation method for it. The analysis and simulation result show that our scheme is feasible and superior to protect users’ privacy in cloud-based services.

Ali A. Yassin,Hai Jin,Ayad Ibrahim,Weizhong Qiang,Deqing Zou

DOI: https://doi.org/10.1109/IPDPSW.2012.148

2012-01-01

Abstract:An era of cloud computing allows users to profit from many privileges. However, there are several new security challenges. In fact, anonymous password authentication in the traditional setting has been suffered from many inherent drawbacks such as ease of exposure to malicious attacks and users registered their passwords in the server. Our scheme proposes the phenomenal context according to three main components: data owner, users, and service provider in cloud where users do not need to register their passwords in the service provider. Moreover, the data owner is contributed to make secure decisions, so that he manages the significant keys to other components distributedly. The proposal enjoys several advantages such as preserving privacy of password, unlink ability, and secrecy of session key. We have given a mechanism to prove the identity of the users authenticated without a need to reveal their passwords. Our approach has been achieved good results of reliability, and validity for cloud password authentication. The experimental results show an effective level of performance.

Xiong Li,Saru Kumari,Jian Shen,Fan Wu,Caisen Chen,SK Hafizul Islam

DOI: https://doi.org/10.1007/s11277-016-3742-6

IF: 2.017

2016-01-01

Wireless Personal Communications

Abstract:Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

Jingyu Wang,Ruichun Gu

DOI: https://doi.org/10.1109/icsess.2014.6933560

2014-01-01

Abstract:Cloud computing is a revolutionary computing paradigm which enables flexible, on-demand and low-cost usage of computing resources. Those advantages are the causes of security and privacy problems, which emerge because the data owned by different users are stored in some cloud servers instead of under their own control. How to protect the data privacy is the most important in cloud computing. In this paper, based on virtual adversary structure, a data security access scheme is proposed to protect sensitive data. The virtual adversary structure is realized by an efficient secret sharing scheme. The scheme has been shown to have reconstruction and perfect properties of the secret sharing. It only performs modular additions and subtractions and every share is replicated in multiple share sets. Based on virtual adversary structure and secret sharing, the scheme also has some advantages: low computational complexity and high recoverability.

Mang SU,Guozhen SHI,Anmin FU,Yan YU,Wei JIN

2018-01-01

Abstract:Cloud computing is one of the space-ground integration information network applications.Users can access data and retrieve service easily and quickly in cloud.The confidentiality and integrity of the data cloud have a direct correspondence to data security of the space-ground integration information network.Thus the data in cloud is transferred with encrypted form to protect the information.As an important technology of cloud security,access control should take account of multi-factor and cipher text to satisfy the complex requirement for cloud data protection.Based on this,a proxy re-encryption based multi-factor access control (PRE-MFAC) scheme was proposed.Firstly,the aims and assumptions of PRE-MFAC were given.Secondly,the system model and algorithm was defined.Finally,the security and properties of PRE-MFAC were analyzed.The proposed scheme has combined the PRE and multi-factor access control together and realized the multi-factor permission management of cipher text in cloud.Meanwhile,it can make the best possible use of cloud in computing and storing,then reduce the difficulty of personal user in cryptographic computing and key managing.

Dandan Yuan,Xiangfu Song,Qiuliang Xu,Minghao Zhao,Xiaochao Wei,Hao Wang,Han Jiang

DOI: https://doi.org/10.1016/j.jisa.2018.01.002

IF: 4.96

2018-01-01

Journal of Information Security and Applications

Abstract:Data sharing is one of the basic applications for cloud storage, which is inherently suitable for scalability and multitenancy feature of cloud computing. Generally, for security and privacy concerns, clients tend to conceal (e.g. encrypt) their data content. However, access patterns, usually generated by behavior of users in sharing data rather than data content itself, may cause severe sensitive information leakage . Recently, oblivious random access memory (ORAM) has drawn increasingly attention as it is an ideal cryptographic tool for access pattern hiding. However, the existing ORAM-based data sharing schemes involve various deficiencies, either in high complexity for computation or heavy reliance of complex cryptography primitives. Inspired by the former schemes, in this paper we propose a novel ORAM based data sharing scheme with high security guarantee and high efficiency. The scheme can prevent the data block from arbitrary modification through Shuffle Correctness Proof. The security of the scheme is based on the IND-CPA security of encryption scheme, the unforgeability of Identity-Based signature and the security properties of basic Path-ORAM. Analysis shows that the scheme has the optimal computation and communication complexity.

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-030-05345-1_31

2018-01-01

Abstract:The emerging attribute-based access control (ABAC) mechanism is an expressive, flexible, and manageable authorization technique that is particularly suitable for current distributed, inconstant and complex service-oriented scenarios. Unfortunately, the inevitable disclosure of attributes that carry sensitive information bring significant risks to users' privacy, which obstructs the further development and popularization of the ABAC severely. In this paper, we propose an effective privacy-preserving ABAC (P-ABAC) scheme to defend against privacy leakage risks of users' attributes. In the P-ABAC approach, the necessary sensitive attributes are securely handled on the service requester side by using the homomorphic encryption method for privacy protection. And meanwhile, the service provider is still able to make accurate access decisions according to the received attribute ciphertext and pre-set policies with the help of the homomorphic encryption-based secure multi-party computation techniques, while learning no privacy information. The theoretical analysis proves that our model contributes to making an efficient and effective ABAC model with the enhanced privacy-protection feature.

Qian Xu,Chengxiang Tan,Zhijie Fan,Wenye Zhu,Ya Xiao,Fujia Cheng

DOI: https://doi.org/10.1109/access.2018.2844829

IF: 3.9

2018-01-01

IEEE Access

Abstract:Nowadays, secure data access control has become one of the major concerns in a cloud storage system. As a logical combination of attribute-based encryption and attribute-based signature, attribute-based signcryption (ABSC) can provide confidentiality and an anonymous authentication for sensitive data and is more efficient than traditional ``encrypt-then-sign”or ``sign-then-encrypt”strategies. Thus, ABSC is suitable for fine-grained access control in a semi-trusted cloud environment and is gaining more and more attention in recent years. However, in many previous ABSC schemes, user's sensitive attributes can be disclosed to the authority, and only a single authority that is responsible for attribute management and key generation exists in the system. In this paper, we propose PMDAC-ABSC, a novel privacy-preserving data access control scheme based on Ciphertext-Policy ABSC, to provide a fine-grained control measure and attribute privacy protection simultaneously in a multi-authority cloud storage system. The attributes of both the signcryptor and the designcryptor can be protected to be known by the authorities and cloud server. Furthermore, the decryption overhead for user is significantly reduced by outsourcing the undesirable bilinear pairing operations to the cloud server without degrading the attribute privacy. The proposed scheme is proven to be secure in the standard model and has the ability to provide confidentiality, unforgeability, anonymous authentication, and public verifiability. The security analysis, asymptotic complexity comparison, and implementation results indicate that our construction can balance the security goals with practical efficiency in computation.

Hong Liu,Huansheng Ning,Qingxu Xiong,Laurence T. Yang

DOI: https://doi.org/10.1109/tpds.2014.2308218

IF: 5.3

2015-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Cloud computing is an emerging data interactive paradigm to realize users' data remotely stored in an online cloud server. Cloud services provide great conveniences for the users to enjoy the on-demand cloud applications without considering the local infrastructure limitations. During the data accessing, different users may be in a collaborative relationship, and thus data sharing becomes significant to achieve productive benefits. The existing security solutions mainly focus on the authentication to realize that a user's privative data cannot be illegally accessed, but neglect a subtle privacy issue during a user challenging the cloud server to request other users for data sharing. The challenged access request itself may reveal the user's privacy no matter whether or not it can obtain the data access permissions. In this paper, we propose a shared authority based privacy-preserving authentication protocol (SAPA) to address above privacy issue for cloud storage. In the SAPA, 1) shared access authority is achieved by anonymous access request matching mechanism with security and privacy considerations (e.g., authentication, data anonymity, user privacy, and forward security); 2) attribute based access control is adopted to realize that the user can only access its own data fields; 3) proxy re-encryption is applied to provide data sharing among the multiple users. Meanwhile, universal composability (UC) model is established to prove that the SAPA theoretically has the design correctness. It indicates that the proposed protocol is attractive for multi-user collaborative cloud applications.

computer science, theory & methods,engineering, electrical & electronic

Mingyang Zhao,Chuan Zhang,Tong Wu,Jianbing Ni,Ximeng Liu,Liehuang Zhu

DOI: https://doi.org/10.1109/tifs.2024.3394678

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In this paper, we propose a revocable and privacy-preserving bilateral access control scheme (named PriBAC) for general cloud data sharing (i.e., end-cloud-based data sharing). PriBAC ensures that preference matching is successful only when both parties' preferences are satisfied simultaneously. Otherwise, nothing is leaked beyond whether the preference matching occurs. There are three challenges in designing PriBAC. The first challenge is protecting matching information, i.e., concealing two preference matching processes, in a single cloud server. The second challenge is protecting preference content while preventing receivers from receiving much useless information. The third challenge is how to integrate efficient user revocation mechanisms into bilateral access control to handle frequent user revocation cases in practical cloud data sharing applications. To address the above challenges, the punchline in PriBAC is to leverage Newton's interpolation formula-based secret sharing to enrich the matchmaking encryption technique for constructing a privacy-preserving preference matching mechanism. To achieve efficient user revocation, we integrate a unique symbol into each user's keys and efficiently revoke users by invaliding the corresponding keys. Security analysis proves that PriBAC can resist the chosen-ciphertext attack and preserves preference privacy and matching privacy. Experiments show that PriBAC achieves approximately 3x user performance improvement compared with current state-of-the-art related schemes.

毛剑,李坤,徐先栋

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2011.10.005

2011-01-01

Abstract:Privacy protection is a key challenge in cloud computing.Existing schemes mostly focus on user data protection rather than personally identifiable information protection.This paper presents an implicit data partitioning scheme based on confusion for user data protection.For identifiable information protection,this paper presents a cloud storage architecture based on Trust Server（TS） concept,which the isolates the data storage and the personal information management.The cloud server decides whether customers have the right to store personal data according to the storage authentication code provided the trust server.Storage of the customers＇ identifiable information onto trust servers effectively protects the private information.

Jian Wang,Chunxiao Ye,Yangfei Ou

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00092

2019-01-01

Abstract:Cloud computing have brought a lot of advantages, such as reducing the hardware cost and providing a convenient cloud storage service. More and more people choose to put their private data in the cloud. However, due to data outsourcing and seminal-trusted cloud servers, data access control has becoming a challenging issue. To protect data security and privacy, some ciphertext policy attribute-based encryption (CP-ABE) schemes have been applied to cloud data access control. However, there are two dynamic issues, namely attribute revocation and policy updating, that need to be solved in the existing CP-ABE schemes. In this paper, we propose a fine-grained dynamic multi-authority cloud data access control scheme, which can solve the above two problems. Besides, our scheme can also support user revocation, which make it more practical. The analysis and simulation results show that our scheme is secure in the random oracle model and is efficient.

Liu Wu,Sun Donghong,Ren Ping,Liu Ke

DOI: https://doi.org/10.1109/fskd.2016.7603356

2016-01-01

Abstract:A Reputation and Attribute Based Dynamic Access Control (RA-DAC) Framework for Privacy Protection in Cloud Computing Environment was presented in this paper. First, RA-DAC is used to encourage honest users for their good actions in cloud environment. Second, RA-DAC is also used to constraint malicious users for their destructive actions in cloud environment. And finally, based on RA-DAC we developed the Reputation and Attribute Based Dynamic Access Control System (RA-DACS) which is used to detect the malicious behaviors of dishonest users and automatically prevent their further action to threaten the security of the cloud computing environment.

Jinqiu Hou,Changgen Peng,Weijie Tan,Hongfa Ding

DOI: https://doi.org/10.32604/cmes.2023.027276

2024-01-01

Computer Modeling in Engineering & Sciences

Abstract:Cloud-based services have powerful storage functions and can provide accurate computation. However, the question of how to guarantee cloud-based services access control and achieve data sharing security has always been a research highlight. Although the attribute-based proxy re-encryption (ABPRE) schemes based on number theory can solve this problem, it is still difficult to resist quantum attacks and have limited expression capabilities. To address these issues, we present a novel linear secret sharing schemes (LSSS) matrix-based ABPRE scheme with the fine-grained policy on the lattice in the research. Additionally, to detect the activities of illegal proxies, homomorphic signature (HS) technology is introduced to realize the verifiability of re-encryption. Moreover, the non-interactivity, unidirectionality, proxy transparency, multi-use, and anti-quantum attack characteristics of our system are all advantageous. Besides, it can efficiently prevent the loss of processing power brought on by repetitive authorisation and can enable precise and safe data sharing in the cloud. Furthermore, under the standard model, the proposed learning with errors (LWE)-based scheme was proven to be IND-sCPA secure.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/tvt.2006.877704

2005-01-01

Abstract:Privacy and security are two important but seemingly contradict objectives in pervasive computing environments (PCEs). On the one hand, service providers want to authenticate service users and make sure they are accessing only authorized services in a legitimate way. On the other hand, users want to maintain necessary privacy without being tracked down for wherever they are and whatever they are doing. In this paper we propose a novel privacy enhanced authentication and access control scheme to secure the interactions between mobile users and services in PCEs. The proposed scheme seamlessly integrates two underlying cryptographic primitives, blind signature and hash chain, into a highly flexible and lightweight authentication and key establishment protocol. It provides explicit mutual authentication between a user and a service, while allowing the user to anonymously interact with the service. Differentiated service access control is also enabled in the proposed scheme by classifying mobile users into different service groups.

Akram Sarhan,Leszek Lilien

DOI: https://doi.org/10.48550/arXiv.1904.00880

2019-03-28

Abstract:The management of sensitive data, including identity management (IDM), is an important problem in cloud computing, fundamental for authentication and fine-grained service access control. Our goal is creating an efficient and robust IDM solution that addresses critical issues in cloud computing. The proposed IDM scheme does not rely on trusted third parties (TTPs) or trusted dealers. The scheme is a multiparty interactive solution that combines RSA distributed key generation and attribute-based encryption. We believe that it will be a robust IDM privacy-preserving solution in cloud computing, because it has the following features: (i) protects sensitive data on untrusted hosts using active bundle; (ii) supports the minimum disclosure property; (iii) minimizes authentication overhead by providing single sign-on; (iv) supports authentication with encrypted credentials; (v) avoids using trusted third parties (TTPs_, incl. using TTPs for key management; (vi) supports revocation and delegation of access right; and (vii) supports revocation of user credentials. The scheme should also be efficient because it exploits parallelism.

Cryptography and Security

Ling Xiong,Fagen Li,Mingxing He,Zhicai Liu,Tu Peng

DOI: https://doi.org/10.1109/tcc.2020.3029878

IF: 5.697

2022-01-01

IEEE Transactions on Cloud Computing

Abstract:In the last few years, mobile cloud computing (MCC) gains a huge development because of the popularity of mobile applications and cloud computing. User authentication and access control are two indispensable security components in the MCC environment. To the best of our knowledge, they are generally designed in different procedures. Access control can be executed after the authentication completes successfully. In order to improve efficiency, this article constructs an integrated scheme of authentication and hierarchical access control using self-certified public key cryptography (SCPKC) and the Chinese remainder theorem (CRT) for MCC environment. The proposed scheme can achieve mutual authentication while determining the access rights of mobile users without storing any access control list in the MCC service provider side. Besides, we also give a dynamic adding or deletion of MCC service provider to efficiently address potential changes in the hierarchy. The security of our proposed scheme is proved by the random oracle model. Compared with recently related multi-server authentication schemes for the MCC environment, the proposed scheme not only adds a new function of hierarchical access control but also has better computation and communication efficiencies. Therefore, the proposed scheme is more suitable for real-life MCC applications.

Ping-ping LIU,Lin-ying YAN

DOI: https://doi.org/10.16185/j.jxatu.edu.cn.2015.05.003

2015-01-01

Abstract:For the purpose of secure cloud storage ,a secure cloud storage access control system scheme is proposed in this paper .In the scheme ,Linux and Hadoop are used to build the cloud platform .T he role-based access control method is employed to test identity and to access nonsensitive data . And the attribute encryption algorithm is applyed to encrypt/decrypt data .Experiment show s that this scheme can effectively ensure the integrity and confidentiality of data in the cloud storage .

Jun Zhou,Xiaodong Lin,Xiaolei Dong,Zhenfu Cao

DOI: https://doi.org/10.1109/TPDS.2014.2314119

2015-01-01

Abstract:Distributed m-healthcare cloud computing system significantly facilitates efficient patient treatment for medical consultation by sharing personal health information among healthcare providers. However, it brings about the challenge of keeping both the data confidentiality and patients' identity privacy simultaneously. Many existing access control and anonymous authentication schemes cannot be straightforwardly exploited. To solve the problem, in this paper, a novel authorized accessible privacy model (AAPM) is established. Patients can authorize physicians by setting an access tree supporting flexible threshold predicates. Then, based on it, by devising a new technique of attribute-based designated verifier signature, a patient self-controllable multi-level privacy-preserving cooperative authentication scheme (PSMPA) realizing three levels of security and privacy requirement in distributed m-healthcare cloud computing system is proposed. The directly authorized physicians, the indirectly authorized physicians and the unauthorized persons in medical consultation can respectively decipher the personal health information and/or verify patients' identities by satisfying the access tree with their own attribute sets. Finally, the formal security proof and simulation results illustrate our scheme can resist various kinds of attacks and far outperforms the previous ones in terms of computational, communication and storage overhead.