Jin Li,Gansen Zhao,Xiaofeng Chen,Dongqing Xie,Chunming Rong,Wenjun Li,Lianzhang Tang,Yong Tang

DOI: https://doi.org/10.1109/cloudcom.2010.44

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which IT resources and capacities are provided as services over the Internet. Promising as it is, this paradigm also brings forth new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are likely outside of the same trust domain of data owners. To maintain the confidentiality of, sensitive user data against untrusted servers, existing work usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. In this paper, we present a way to implement, scalable and fine-grained access control systems based on attribute-based encryption (ABE). For the purpose of secure access control in cloud computing, the prevention of illegal key sharing among colluding users is missing from the existing access control systems based on ABE. This paper addresses this challenging open issue by defining and enforcing access policies based on data attributes and implementing user accountability by using traitor tracing. Furthermore, both the user grant and revocation are efficiently supported by using the broadcast encryption technique. Extensive analysis shows that the proposed scheme is highly efficient and provably secure under existing security models.

Shuaishuai Zhu,Xiaoyuan Yang

DOI: https://doi.org/10.1504/ijguc.2015.068824

2015-01-01

International Journal of Grid and Utility Computing

Abstract:Traditional file systems cannot satisfy the recent requirements in the cloud environment. Meanwhile, current file systems designed for cloud computing cannot provide enough flexibility, fine-grained access control and access security. In this paper, a novel secure file sharing scheme based on attribute control is presented. In order to design a practical cloud file system with attribute based encryption, we give a systematic definition of attribute computing in cloud computing environment. Based on the definition, we present a secure and practical attribute based encryption scheme without pairings CP-ABE-WP under cloud computing scenarios. Then we design a secure cloud file system applying our CP-ABE-WP to provide data management and secure data sharing. According to our analysis and test, the scheme is chosen plaintext secure in selective ID model with acceptable performance and can satisfy the file sharing application in cloud computing.

Zhusong Liu,Hongyang Yan,Zhiqiang Lin,Lingling Xu

DOI: https://doi.org/10.3217/jucs-021-03-0454

2015-01-01

Abstract:Cloud computing is an emerging computing paradigm that can provide storage resources and computing capacities services over the Internet. However, some new security issues arise when users' sensitive data are outsourced and shared in untrusted cloud. The traditional techniques to protect the confidentiality of sensitive data stored in cloud are encryption and related cryptographic tools. And the corresponding private keys to access and decrypt the files are disclosed to only authorized users. However, these traditional solutions are not scalable because the computational cost of encryption and other access control is heavy for devices with limited computation ability.In this paper, we present a new way to implement scalable and fine-grained access control systems, which can be applied for big data in untrusted cloud computing environment. The solution is based on symmetric, efficient broadcast encryption and fine-grained attribute-based encryption (ABE). In this access control system, users are able to join and revoked with broadcast encryption. An outsourced Hierarchical ABE scheme is first proposed in this paper to construct the access control system. The security analysis is also presented under the security model.

Guojun Wang,Qin Liu,Jie Wu,Minyi Guo

DOI: https://doi.org/10.1016/j.cose.2011.05.006

IF: 5.105

2011-01-01

Computers & Security

Abstract:With rapid development of cloud computing, more and more enterprises will outsource their sensitive data for sharing in a cloud. To keep the shared data confidential against untrusted cloud service providers (CSPs), a natural way is to store only the encrypted data in a cloud. The key problems of this approach include establishing access control for the encrypted data, and revoking the access rights from users when they are no longer authorized to access the encrypted data. This paper aims to solve both problems. First, we propose a hierarchical attribute-based encryption scheme (HABE) by combining a hierarchical identity-based encryption (HIBE) system and a ciphertext-policy attribute-based encryption (CP-ABE) system, so as to provide not only fine-grained access control, but also full delegation and high performance. Then, we propose a scalable revocation scheme by applying proxy re-encryption (PRE) and lazy re-encryption (LRE) to the HABE scheme, so as to efficiently revoke access rights from users.

Jin Li,Yinghui Zhang,Xiaofeng Chen,Yang Xiang

DOI: https://doi.org/10.1016/j.cose.2017.08.007

IF: 5.105

2017-01-01

Computers & Security

Abstract:Data sharing becomes an exceptionally attractive service supplied by cloud computing platforms because of its convenience and economy. As a potential technique for realizing fine-grained data sharing, attribute-based encryption (ABE) has drawn wide attentions. However, most of the existing ABE solutions suffer from the disadvantages of high computation overhead and weak data security, which has severely impeded resource-constrained mobile devices to customize the service. The problem of simultaneously achieving fine-grainedness, high-efficiency on the data owner's side, and standard data confidentiality of cloud data sharing actually still remains unresolved. This paper addresses this challenging issue by proposing a new attribute-based data sharing scheme suitable for resource-limited mobile users in cloud computing. The proposed scheme eliminates a majority of the computation task by adding system public parameters besides moving partial encryption computation offline. In addition, a public ciphertext test phase is performed before the decryption phase, which eliminates most of computation overhead due to illegitimate ciphertexts. For the sake of data security, a Chameleon hash function is used to generate an immediate ciphertext, which will be blinded by the offline ciphertexts to obtain the final online ciphertexts. The proposed scheme is proven secure against adaptively chosen-ciphertext attacks, which is widely recognized as a standard security notion. Extensive performance analysis indicates that the proposed scheme is secure and efficient.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Hua Deng,Zheng Qin,Qianhong Wu,Robert H. Deng,Zhenyu Guan,Yupeng Hu,Fangmin Li

DOI: https://doi.org/10.1109/tdsc.2022.3153467

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Cloud computing has become an increasingly popular option for users to store and share data. Encryption prior to outsourcing data to the cloud is the best way to protect data security and privacy; however, it hinders sharing of the data that was encrypted. In addition, users in many real-world organizations (e.g., enterprises) have multiple level structures and a higher-level user should have the privilege to decide which data can be shared with a lower-level user. Most solutions in the literature suffer from inefficiency or inflexibility in tackling this problem. In this article, we propose a fine-grained hierarchical data sharing (FHDS) scheme in clouds. With FHDS, the data owner can encrypt data with his public key, and then selectively share encrypted data with users in a hierarchy; if necessary, the users can disseminate the owner's data to their subordinates in the lower levels by generating access keys. In particular, the higher-level users could puncture the keys with some tags such that the part of the owner's data which is labeled by the punctured tags will not be accessible to the lower-level users. The proposed scheme is provable secure under our security model and performance analyses show the efficiency of the scheme.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.14257/ijsia.2016.10.10.27

2016-01-01

International Journal of Security and Its Applications

Abstract:Nowadays, more and more users outsource their data to third party cloud storage servers for the purpose of sharing, so cloud data sharing becomes one of the popular services offered by cloud service providers. However, the third party storage servers in cloud data sharing systems, which are not fully trusted by data owners, make access control to the shared data a challenging issue. Although Ciphertext-Policy AttributeBased Encryption (CP-ABE) is an emerging cryptographic solution for this issue, dealing with dynamic changes to users' access privileges (attribute revocation) in its practical applications as cloud data sharing systems is a real challenge. To overcome this challenge, we propose a fine-grained access control scheme for cloud data sharing systems by designing secure and efficient attribute-revocable CP-ABE scheme. Our scheme only allows non-revoked users in the attribute group to update their secret key by themselves using their unique key-update keys and the ciphertexts are updated by minimally trusted cloud server using a ciphertext-update key. Compared with the existing access controls achieved by attribute-revocable CP-ABE schemes, our proposed access control scheme reduces the trust degree of the cloud server in the attribute revocation mechanism. Furthermore, the analysis indicates that our access control scheme is more secure and efficient to apply to practical scenarios.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Liang Yan,Lina Ge,Zhe Wang,Guifen Zhang,Jingya Xu,Zheng Hu

DOI: https://doi.org/10.1186/s13677-023-00444-4

2023-04-19

Journal of Cloud Computing

Abstract:With the rapid development of cloud computing technology, how to achieve secure access to cloud data has become a current research hotspot. Attribute-based encryption technology provides the feasibility to achieve the above goal. However, most of the existing solutions have high computational and trust costs. Furthermore, the fairness of access authorization and the security of data search can be difficult to guarantee. To address these issues, we propose a novel access control scheme based on blockchain and attribute-based searchable encryption in cloud environment. The proposed scheme achieves fine-grained access control with low computation consumption by implementing proxy encryption and decryption, while supporting policy hiding and attribute revocation. The encrypted file is stored in the IPFS and the metadata ciphertext is stored on the blockchain, which ensures data integrity and confidentiality. Simultaneously, the scheme enables the secure search of ciphertext keyword in an open and transparent blockchain environment. Additionally, an audit contract is designed to constrain user access behavior to dynamically manage access authorization. Security analysis proves that our scheme is resistant to chosen-plaintext attacks and keyword-guessing attacks. Theoretical analysis and experimental results show that our scheme has high computational and storage efficiency, which is more advantageous than other schemes.

Jingsi REN,Jinlin WANG,Xiao CHEN,Xiaozhou YE

DOI: https://doi.org/10.3969/j.issn.2095-347X.2017.04.002

2017-01-01

Abstract:Traditional ABE schemes rely on a single authority,which is not suitable for large-scale data storage.In order to solve this problem,we present a novel decentralized attribute-based access control scheme for cloud storage environment.The proposed scheme has the following features:①Multiple authorities are independent,without the need for any central authority or global coordination;②The scheme supports any LSSS access structure and can easily carry out fine-granted access control;③We apply proxy re-encryption technique to resolve the issue of user revocation in decentralized ABE schemes.Security analysis and performance assessment show that our scheme is reliable,and can take into account both flexibility and efficiency.

Meiyan Xiao,Hongbo Li,Qiong Huang,Shui Yu,Willy Susilo

DOI: https://doi.org/10.1109/tifs.2022.3173412

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Attribute-based encryption scheme is a promising mechanism to realize one-to-many fine-grained access control which strengthens the security in cloud computing. However, massive amounts of data and various data sharing requirements bring great challenges to the complex but isolated and fixed access structures in most of the existing attribute-based encryption schemes. In this paper, we propose an attribute-based hierarchical encryption scheme with extendable policy, called Extendable Hierarchical Ciphertext-Policy Attribute-Based Encryption (EH-CP-ABE), to improve the data sharing efficiency and security simultaneously. The scheme realizes the function of hierarchical encryption, in which, data with hierarchical access control relationships could be encrypted together flexibly to improve the efficiency. The scheme also achieves external and internal extension of the access structure to further encrypt newly added hierarchical data without updating the original ciphertexts or with only a minor update depending on the data sharing requirements, which simplifies the encryption process and greatly reduces the computation overhead. We formally prove the security of the scheme is IND-CCA secure in the random oracle model based on bilinear Diffie-Hellman assumption, and we also implement our scheme to demonstrate its efficiency and practicality.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Xuejiao Liu,Yingjie Xia,Shasha Jiang,Fubiao Xia,Yanbo Wang

DOI: https://doi.org/10.1109/TrustCom.2013.60

2013-01-01

Abstract:Access control is one of the most important security mechanisms in cloud computing. Attributed based encryption provides an approach that allows data owners to integrate data access policies within the encrypted data. However, little work has been done to explore flexible authorization in specifying the data user's privileges and enforcing the data owner's policy in cloud based environments. In this paper, we propose a hierarchical attribute based access control scheme by extending ciphertext-policy attribute-based encryption (CP-ABE) with a hierarchical structure of multiauthorities and exploiting attribute-based signature (ABS). The proposed scheme not only achieves scalability due to its hierarchical structure, but also inherits fine-grained access control with authentication in supporting write privilege on outsourced data in cloud computing. In addition, we decouple the task of policy management from security enforcement by using the extensible access control markup language (XACML) framework. Extensive analysis shows that our scheme is both efficient and scalable in dealing with access control for outsourced data in cloud computing.

xuejiao liu,yingjie xia,yang xiang,mohammad mehedi hassan,abdulhameed alelaiwi

DOI: https://doi.org/10.1109/SocialSec2015.13

2015-01-01

Abstract:Hybrid cloud is a widely used cloud architecture in large companies that can outsource data to the publiccloud, while still supporting various clients like mobile devices. However, such public cloud data outsourcing raises serious security concerns, such as how to preserve data confidentiality and how to regulate access policies to the data stored in public cloud. To address this issue, we design a hybrid cloud architecture that supports data sharing securely and efficiently, even with resource-limited devices, where private cloud serves as a gateway between the public cloud and the data user. Under such architecture, we propose an improved construction of attribute-based encryption that has the capability of delegating encryption/decryption computation, which achieves flexible access control in the cloud and privacy-preserving in datautilization even with mobile devices. Extensive experiments show the scheme can further decrease the computational cost and space overhead at the user side, which is quite efficient for the user with limited mobile devices. In the process of delegating most of the encryption/decryption computation to private cloud, the user can not disclose any information to the private cloud. We also consider the communication securitythat once frequent attribute revocation happens, our scheme is able to resist some attacks between private cloud and data user by employing anonymous key agreement.

GU Bolun,XU Zikai,LI Weihai,YU Nenghai

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024055

2024-01-01

Abstract:With the rapid development and application of the Internet, traditional storage resources have been found unable to meet the growing demand for massive data storage. An increasing number of users have attempted to upload their data to third-party cloud servers for unified storage. Efficient deduplication and secure file sharing in the cloud have emerged as critical concerns. Moreover, users have always preferred to customize their passwords for encrypting and decrypting files, only sharing encrypted files when necessary. Based on this preference, a deterministic stepwise encryption algorithm was first designed. It was such that when the keys for the two steps of encryption satisfied a certain relationship, the two steps of encryption could be equivalent to a single encryption process. A novel key-customizable encrypted deduplication scheme with access control for cloud storage was proposed, utilizing the deterministic stepwise encryption algorithm to encrypt files and a ciphertext-policy attribute-based encryption algorithm to encrypt file keys. This scheme not only offered the flexibility to customize encryption and decryption keys for different users with the same files, but also ensured secure file sharing through a dynamic access control mechanism. Moreover, the optional access control component was made compatible with the majority of existing ciphertext-policy attribute-based encryption (CP-ABE) schemes, even allowing for different CP-ABE schemes within different attribute groups. Security analysis results show that the proposed scheme achieves the highest level of security under the current encrypted deduplication paradigm. Experimental and analytical results indicate that it effectively meets the practical needs of cloud service providers and users, and also achieves acceptable efficiency.

Yinghui Zhang,Xiaofeng Chen,Jin Li,Hui Li,Fenghua Li

DOI: https://doi.org/10.3837/tiis.2014.11.021

2014-01-01

Abstract:Attribute-based encryption (ABE) is a promising cryptographic primitive for implementing fine-grained data sharing in cloud computing. However, before ABE can be widely deployed in practical cloud storage systems, a challenging issue with regard to attributes and user revocation has to be addressed. To our knowledge, most of the existing ABE schemes fail to support flexible and direct revocation owing to the burdensome update of attribute secret keys and all the ciphertexts. Aiming at tackling the challenge above, we formalize the notion of ciphertext-policy ABE supporting flexible and direct revocation (FDR-CP-ABE), and present a concrete construction. The proposed scheme supports direct attribute and user revocation. To achieve this goal, we introduce an auxiliary function to determine the ciphertexts involved in revocation events, and then only update these involved ciphertexts by adopting the technique of broadcast encryption. Furthermore, our construction is proven secure in the standard model. Theoretical analysis and experimental results indicate that FDR-CP-ABE outperforms the previous revocation-related methods.

Guowen Xu,Shengmin Xu,Jinhua Ma,Jianting Ning,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2023.3305870

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud computing has been widely accepted as a computing paradigm to offer high-quality data services on demand. However, it suffers from various attacks as the cloud service provider and data owners are not in the same trusted domain. To support data confidentiality, existing cloud-based systems apply cryptographic tools to issue the decryption key to data users to share data in a controlled way. However, fine-grained cloud data sharing still faces many challenges, especially when dealing with dynamic user groups. In this paper, we introduce a secure and efficient cloud-based data-sharing system with fine-grained access control and dynamic user groups. Our system enjoys 1) adaptive security in prime-order groups, 2) forward secrecy against revoked user fetches data generated before being revoked, and 3) decryption key exposure resistance against the compromise of the frequently used decryption key, where the previous solutions only concentrate on one or two above-mentioned properties. More specifically, we introduce two timestamp management mechanisms that manage the timestamp in each ciphertext to support dynamic user groups with forward secrecy. By applying the proposed timestamp management mechanisms, we introduce two novel designs of attribute-based encryption schemes with formal definition and security analyses. The proposed schemes are adaptively secure in prime-order groups under a standard assumption and support decryption key exposure resistance. We conduct theoretical analysis and experimental simulation to demonstrate the outperformance of our solutions.

Hu Xiong,Hao Zhang,Jianfei Sun

DOI: https://doi.org/10.1109/jsyst.2018.2865221

IF: 4.802

2018-01-01

IEEE Systems Journal

Abstract:The sharing of personal data with multiple users from different domains has been benefited considerably from the rapid advances of cloud computing, and it is highly desirable to ensure the sharing file should not be exposed to the unauthorized users or cloud providers. Unfortunately, issues such as achieving the flexible access control of the sharing file, preserving the privacy of the receivers, forming the receiver groups dynamically, and high efficiency in encryption/decryption still remain challenging. To deal with these challenges, we provide a novel anonymous attribute-based broadcast encryption (A$^{2}$ B$^{2}$ E) which features the property of hidden access policy and enables the data owner to share his/her data with multiple participants who are inside a predefined receiver set and fulfill the access policy. We first suggest a concrete A$^{2}$ B$^{2}$ E scheme together with the rigorous and formal security proof without the support of the random oracle model. Then, we design an efficient and secure data sharing system by incorporating the A$^{2}$ B$^{2}$ E scheme, verifiable outsourcing decryption technique for attribute-based encryption, and the idea of online/offline attribute-based encryption. Extensive security analysis and performance evaluation demonstrate that our data sharing system is secure and practical.

Zhenyao Qiu,Zhiwei Zhang,Shichong Tan,Jianfeng Wang,Xiaoling Tao

DOI: https://doi.org/10.3966/160792642019052003002

2019-01-01

Abstract:Cloud storage is facing the contradiction between data security and flexible data sharing, and therefore the cryptographic access control mechanisms are well studied. In particular, hierarchical access control in cloud storage is significant for many application scenarios. In these scenarios, the users are divided into several groups organized in a hierarchy, and they are assigned with different access privileges according to their groups and levels. That is, the users in higher level groups can access the data belonging to their subordinate groups while the users in lower level groups cannot access the data belonging to their superior groups. However, most of the existing hierarchical access control solutions seem to be unpractical for their inability of scalable data sharing, inefficiency of key management or lack of delegated reencryption. In this paper, we propose a new hierarchical access control scheme based on key-aggregate encryption, and the proposed scheme realizes scalable data sharing in cloud storage which allows the users to share data with any user group. In the proposed scheme, the size of each key or ciphertext is constant and irrelevant to the scale of hierarchical user structure. Especially, our scheme improves the convenience of key management by cutting off the key derivation widely used in the existing hierarchical key assignment methods. Furthermore, the proposed scheme reduces the users' updating overhead by introducing the delegated re-encryption into the hierarchical scenarios. Finally, the security analysis and the performance evaluation indicate that our scheme is feasible for the hierarchical data sharing applications in cloud storage.