Jianan Hong,Kaiping Xue,Wei Li

2015-01-01

Abstract:Yang et al. [1] have proposed a multi-authority CP-ABE based data access control for cloud storage (DAC-MACS), in which the authors claimed that the mechanism in dealing with attribute revocation could achieve both forward security and backward security. Unfortunately, our further analysis and investigation show that their work adopts a bidirectional re-encryption method in ciphertext updating, so a security vulnerability appears. Our proposed attack method demonstrates that a revoked user can still decrypt new ciphertexts that are claimed to require the new-version secret keys to decrypt.

Kan Yang,Xiaohua Jia,Kui Ren,Bo Zhang

DOI: https://doi.org/10.1109/tifs.2013.2279531

IF: 7.231

2013-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data access control is an effective way to ensure data security in the cloud. However, due to data outsourcing and untrusted cloud servers, the data access control becomes a challenging issue in cloud storage systems. Existing access control schemes are no longer applicable to cloud storage systems, because they either produce multiple encrypted copies of the same data or require a fully trusted cloud server. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising technique for access control of encrypted data. However, due to the inefficiency of decryption and revocation, existing CP-ABE schemes cannot be directly applied to construct a data access control scheme for multiauthority cloud storage systems, where users may hold attributes from multiple authorities. In this paper, we propose data access control for multiauthority cloud storage (DAC-MACS), an effective and secure data access control scheme with efficient decryption and revocation. Specifically, we construct a new multiauthority CP-ABE scheme with efficient decryption, and also design an efficient attribute revocation method that can achieve both forward security and backward security. We further propose an extensive data access control scheme (EDAC-MACS), which is secure under weaker security assumptions.

Kan Yang,Xiaohua Jia,Kui Ren

DOI: https://doi.org/10.1145/2484313.2484383

2013-01-01

Abstract:A cloud storage service allows data owner to outsource their data to the cloud and through which provide the data access to the users. Because the cloud server and the data owner are not in the same trust domain, the semi-trusted cloud server cannot be relied to enforce the access policy. To address this challenge, traditional methods usually require the data owner to encrypt the data and deliver decryption keys to authorized users. These methods, however, normally involve complicated key management and high overhead on data owner. In this paper, we design an access control framework for cloud storage systems that achieves fine-grained access control based on an adapted Ciphertext-Policy Attribute-based Encryption (CP-ABE) approach. In the proposed scheme, an efficient attribute revocation method is proposed to cope with the dynamic changes of users' access privileges in large-scale systems. The analysis shows that the proposed access control scheme is provably secure in the random oracle model and efficient to be applied into practice.

Caihui Lan,Caifen Wang,Haifeng Li,Liangliang Liu

DOI: https://doi.org/10.1109/tifs.2021.3058758

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In this letter, we discuss the security weakness of Wang et al.'s attribute-based data sharing scheme, in IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY (TIFS) (DOI: 10.1109/TIFS.2016.2549004). Through designing two concrete attacks, we identify two serious security flaws in their scheme. 1) First, we show that their scheme is insecure because in their scheme any authenticated user can freely tamper with the weight of his own attribute to gain higher level decryption privilege to arbitrarily decrypt the ciphertext belonging to another user with higher weight of attribute. 2) Second, we further demonstrate that their scheme is trivial insecure because in their scheme even any malicious authenticated user's attribute does not match the access policy of a ciphertext, he/she still has the power to decrypt the ciphertext, i.e., the decryption power is independent of attributes, thus, their scheme is not a rigorous attribute-based scheme. The two weaknesses discovered may hinder their scheme infeasible for practical deployment. Accordingly, we present a remedy solution to the issues while preserving all the security features of the original scheme. We hope that our cryptoanalysis and remedy scheme may contribute to avoiding similar design flaws in future designs.

computer science, theory & methods,engineering, electrical & electronic

Kaiping Xue,Yingjie Xue,Jianan Hong,Wei Li,Hao Yue,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2016.2647222

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data access control is a challenging issue in public cloud storage systems. Ciphertext-policy attribute-based encryption (CP-ABE) has been adopted as a promising technique to provide flexible, fine-grained, and secure data access control for cloud storage with honest-but-curious cloud servers. However, in the existing CP-ABE schemes, the single attribute authority must execute the time-consuming user legitimacy verification and secret key distribution, and hence, it results in a single-point performance bottleneck when a CP-ABE scheme is adopted in a large-scale cloud storage system. Users may be stuck in the waiting queue for a long period to obtain their secret keys, thereby resulting in low efficiency of the system. Although multiauthority access control schemes have been proposed, these schemes still cannot overcome the drawbacks of single-point bottleneck and low efficiency, due to the fact that each of the authorities still independently manages a disjoint attribute set. In this paper, we propose a novel heterogeneous framework to remove the problem of single-point performance bottleneck and provide a more efficient access control scheme with an auditing mechanism. Our framework employs multiple attribute authorities to share the load of user legitimacy verification. Meanwhile, in our scheme, a central authority is introduced to generate secret keys for legitimacy verified users. Unlike other multi-authority access control schemes, each of the authorities in our scheme manages the whole attribute set individually. To enhance security, we also propose an auditing mechanism to detect which attribute authority has incorrectly or maliciously performed the legitimacy verification procedure. Analysis shows that our system not only guarantees the security requirements but also makes great performance improvement on key generation.

Xin Liu,Hao Wang,Bo Zhang,Bin Zhang

DOI: https://doi.org/10.1016/j.ins.2021.10.038

IF: 8.1

2022-01-01

Information Sciences

Abstract:In a data access control system oriented toward the cloud storage environment, a data owner defines attribute-based access control policies for data files to realize fine-grained data sharing. However, the existing schemes have defects in user execution efficiency and user privacy protection, and they do not consider the problems of user revocation and attribute updates. To this end, we propose a ciphertext policy attribute-based encryption method with verifiable outsourced decryption; this requires a user to complete decryption with the help of a server, but the results of the outsourced decryption can be verified independently. With this new encryption scheme and the technique of k-times anonymous authentication, a new fine-grained data access control system was constructed; this system allows a server to provide users with outsourced decryption services, and users’ computation cost is independent of the size of the underlying access control policy. Moreover, the number of outsourced decryption requests is limited. In addition, the new system supports user revocation and attribute updates and it is provably secure under formal proofs. An efficiency analysis shows that it can be compared with other similar systems in terms of performance, despite the addition of several practical properties.

computer science, information systems

Wei Li,Kaiping Xue,Yingjie Xue,Jianan Hong

DOI: https://doi.org/10.1109/tpds.2015.2448095

IF: 5.3

2015-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Attribute-based Encryption (ABE) is regarded as a promising cryptographic conducting tool to guarantee data owners' direct control over their data in public cloud storage. The earlier ABE schemes involve only one authority to maintain the whole attribute set, which can bring a single-point bottleneck on both security and performance. Subsequently, some multi-authority schemes are proposed, in which multiple authorities separately maintain disjoint attribute subsets. However, the single-point bottleneck problem remains unsolved. In this paper, from another perspective, we conduct a threshold multi-authority CP-ABE access control scheme for public cloud storage, named TMACS, in which multiple authorities jointly manage a uniform attribute set. In TMACS, taking advantage of (t,n) threshold secret sharing, the master key can be shared among multiple authorities, and a legal user can generate his/her secret key by interacting with any t authorities. Security and performance analysis results show that TMACS is not only verifiable secure when less than t authorities are compromised, but also robust when no less than t authorities are alive in the system. Furthermore, by efficiently combining the traditional multi-authority scheme with TMACS, we construct a hybrid one, which satisfies the scenario of attributes coming from different authorities as well as achieving security and system-level robustness.

Chong Wang,Hao Jin,Ronglei Wei,Ke Zhou

DOI: https://doi.org/10.1007/s11227-021-04277-3

IF: 3.3

2022-01-20

The Journal of Supercomputing

Abstract:Attribute-based encryption(ABE) can enable user-centered data sharing in untrusted cloud scenario where users usually lack control on their outsourced data. However, existing ABE schemes have intrinsic limitations on scalability and revocation efficiency due to the bottleneck of a central authority and heavy re-encryption overhead on revocations. In this paper, we present a revocable decentralized attribute-based encryption scheme for data access control in cloud storage. In particular, by integrating decentralized attribute-based encryption, key regression technique, all-or-nothing transform, revocation list for involved attributes, and blacklist in a novel way, we provide a revocable ABE scheme with practical dynamic group membership and identity privacy protection, and meanwhile, it enhances the re-encryption efficiency caused by revocations without sacrificing security. We analyzed the security of our scheme. The experimental evaluation demonstrates that the cryptographic overhead on key derivation, encryption(decryption), and ABE ciphertext update are reasonable, and for the throughput of accessing encrypted data from the cloud, our scheme outperforms other schemes.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Xuanmei Qin,Yongfeng Huang,Zhen Yang,Xing Li

DOI: https://doi.org/10.1016/j.sysarc.2020.101854

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:Ciphertext-policy attribute-based encryption(CP-ABE) has been widely studied and used in access control schemes for secure data sharing. Since in most of the existing attribute-based encryption methods, all user attributes are managed by a single central authority, it is easy to cause a single point of failure. Therefore, several multi-authority CP-ABE schemes are proposed to manage user attributes by multiple authorities. However, these schemes still do not eliminate the single point of failure in essence or suffer from high computation and communication overhead on data users. In this paper, we propose a Blockchain-based Multi-authority Access Control scheme called BMAC for sharing data securely. Shamir secret sharing scheme and permissioned blockchain (Hyperledger Fabric) are introduced to implement that each attribute is jointly managed by multiple authorities to avoid single point of failure. In addition, we take advantage of blockchain technology to establish trust among multiple authorities and exploit smart contracts to compute tokens for attributes managed across multiple management domains, which reduces communication and computation overhead on the data user side. Moreover, blockchain helps to record the access control process in a secure and auditable way. Finally, we analyze the security of the proposed algorithm. Further analysis and comparison show the performance of the proposed method.

Chao Ma,Haiying Gao,Bin Hu

DOI: https://doi.org/10.1007/s11227-023-05867-z

IF: 3.3

2024-02-03

The Journal of Supercomputing

Abstract:Attribute-based encryption is a new cryptographic primitive that supports fine-grained access control of cloud data, and its access control function relies on the interaction of attributes and access structures. To achieve more flexible access control, attribute revocation has become an important problem that must be considered in the application process of attribute-based encryption. We propose and implement an efficient revocable ciphertext policy attribute-based encryption scheme based on the improvement of the scheme proposed by Tomida et al. Our scheme has the following characteristics: (1) It is adaptively secure under the Matrix Decisional Diffie–Hellman assumption; (2) it supports the multi-use of attribute classes and the negation of attribute values; (3) it supports the revocation of system attributes; and (4) the update of the key and ciphertext is completed by the trusted center and the cloud server, respectively, thereby decreasing revocation overhead for users.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Taeho Jung,Xiang-Yang Li,Zhiguo Wan

2012-01-01

Abstract:Cloud computing is a revolutionary computing paradigm which enables flexible, on-demand and low-cost usage of computing resources. However, those advantages, ironically, are the causes of security and privacy problems, which emerge because the data owned by different users are stored in some cloud servers instead of under their own control. To deal with security problems, various schemes based on the Attribute- Based Encryption (ABE) have been proposed recently. However, the privacy problem of cloud computing is yet to be solved. This paper presents an anonymous privilege control scheme AnonyControl to address the user and data privacy problem in a cloud. By using multiple authorities in cloud computing system, our proposed scheme achieves anonymous cloud data access, finegrained privilege control, and more importantly, tolerance to up to (N -2) authority compromise. Our security and performance analysis show that AnonyControl is both secure and efficient for cloud computing environment.

DOI: https://doi.org/10.1186/s13677-023-00414-w

2023-03-13

Journal of Cloud Computing

Abstract:Cloud file sharing (CFS) has become one of the important tools for enterprises to reduce technology operating costs and improve their competitiveness. Due to the untrustworthy cloud service provider, access control and security issues for sensitive data have been key problems to be addressed. Current solutions to these issues are largely related to the traditional public key cryptography, access control encryption or attribute-based encryption based on the bilinear mapping. The rapid technological advances in quantum algorithms and quantum computers make us consider the transition from the tradtional cryptographic primitives to the post-quantum counterparts. In response to these problems, we propose a lattice-based Ciphertext-Policy Attribute-Based Encryption(CP-ABE) scheme, which is designed based on the ring learing with error problem, so it is more efficient than that designed based on the learing with error problem. In our scheme, the indirect revocation and binary tree-based data structure are introduced to achieve efficient user revocation and dynamic management of user groups. At the same time, in order to further improve the efficiency of the scheme and realize file sharing across enterprises, the scheme also allows multiple authorities to jointly set up system parameters and manage distribute keys. Furthermore, by re-randomizing the user's private key and update key, we achieve decryption key exposure resistance(DKER) in the scheme. We provide a formal security model and a series of security experiments, which show that our scheme is secure under chosen-plaintext attacks. Experimental simulations and evaluation analyses demonstrate the high efficiency and practicality of our scheme.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Liu Wu,Sun Donghong,Ren Ping,Liu Ke

DOI: https://doi.org/10.1109/fskd.2016.7603356

2016-01-01

Abstract:A Reputation and Attribute Based Dynamic Access Control (RA-DAC) Framework for Privacy Protection in Cloud Computing Environment was presented in this paper. First, RA-DAC is used to encourage honest users for their good actions in cloud environment. Second, RA-DAC is also used to constraint malicious users for their destructive actions in cloud environment. And finally, based on RA-DAC we developed the Reputation and Attribute Based Dynamic Access Control System (RA-DACS) which is used to detect the malicious behaviors of dishonest users and automatically prevent their further action to threaten the security of the cloud computing environment.

Arthur S. Voundi Koe,Qi Chen,Juan Tang,Shan Ai,Hongyang Yan,Shiwen Zhang,Duncan S. Wong

DOI: https://doi.org/10.1002/int.23009

IF: 8.993

2022-09-09

International Journal of Intelligent Systems

Abstract:With recent advances in cloud computing, mobile devices are increasingly being used to record patient physiological parameters, and transfer them to a cloud‐based hospital information system, for access control mediation over a variety of stakeholders. In such a cloud‐based architecture, the patient must specify an access policy for a group of authorized parties towards its outsourced data. Multiauthority ciphertext‐policy attribute‐based encryption (CP‐ABE) was provided as an innovative cloud‐based access control cryptographic primitive to tackle the key escrow issue in a centralized architecture, and boost flexibility through cross‐domain attributes management. Existing works, however, still have glaring drawbacks. First, they still rely on a trusted authority to generate and distribute user secret keys. Second, they do not simultaneously provide encryption, decryption, or revocation outsourcing, resulting in high processing and communication cost for both the data sender and the data receiver. Third, they do not support both user and attribute revocation, and the integrity of ciphertext downloaded from the cloud is not always verified at the user end. As a result, this paper exploits the dummy attribute technique and introduces a novel, efficient, and secure multiauthority ciphertext‐policy ABE method for mediating access control over medical data, in the mobile cloud. The ciphertext access policy enforcement, partial ciphertext decryption, and both the user and attribute indirect revocation updates are safely outsourced to the cloud server in this study. Theoretical analysis demonstrates that our scheme is efficient and verifiable, and we prove that our construction is secure under the decisional bilinear Diffie‐Hellman assumption.

computer science, artificial intelligence

Ye Lu,Tao Feng,Chunyan Liu,Wenbo Zhang

DOI: https://doi.org/10.32604/cmc.2023.046106

2024-01-01

Abstract:The Access control scheme is an effective method to protect user data privacy. The access control scheme based on blockchain and ciphertext policy attribute encryption (CP–ABE) can solve the problems of single—point of failure and lack of trust in the centralized system. However, it also brings new problems to the health information in the cloud storage environment, such as attribute leakage, low consensus efficiency, complex permission updates, and so on. This paper proposes an access control scheme with fine-grained attribute revocation, keyword search, and traceability of the attribute private key distribution process. Blockchain technology tracks the authorization of attribute private keys. The credit scoring method improves the Raft protocol in consensus efficiency. Besides, the interplanetary file system (IPFS) addresses the capacity deficit of blockchain. Under the premise of hiding policy, the research proposes a fine-grained access control method based on users, user attributes, and file structure. It optimizes the data-sharing mode. At the same time, Proxy Re-Encryption (PRE) technology is used to update the access rights. The proposed scheme proved to be secure. Comparative analysis and experimental results show that the proposed scheme has higher efficiency and more functions. It can meet the needs of medical institutions.

computer science, information systems,materials science, multidisciplinary

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

XiaoFang Huang,Qi Tao,BaoDong Qin,ZhiQin Liu

DOI: https://doi.org/10.1109/icccn.2015.7288431

2015-01-01

Abstract:Attribute Based Encryption (ABE) scheme can achieve information sharing of one-to-many users, without considering the number of users and the users identity. But, the traditional single Attribute Authority (AA) ABE scheme can hardly meet requirements of different agencies in distributed application environment and it is easy to form the system performance bottlenecks. Based on ciphertext-policy ABE scheme, this paper proposes a multi-authority revocable ABE scheme, where the classification manages user attributes, effectively relieving the management burden of single organization. In addition, it can achieve fine grained access control of shared information by adopting tree access strategy and secret sharing scheme, and support system attribute revocation. Finally, we show that the scheme is secure against chosen plaintext attack under the Decisional Bilinear Diffie-Hellman (DBDH) assumption.

Xuejiao Liu,Yingjie Xia,Shasha Jiang,Fubiao Xia,Yanbo Wang

DOI: https://doi.org/10.1109/TrustCom.2013.60

2013-01-01

Abstract:Access control is one of the most important security mechanisms in cloud computing. Attributed based encryption provides an approach that allows data owners to integrate data access policies within the encrypted data. However, little work has been done to explore flexible authorization in specifying the data user's privileges and enforcing the data owner's policy in cloud based environments. In this paper, we propose a hierarchical attribute based access control scheme by extending ciphertext-policy attribute-based encryption (CP-ABE) with a hierarchical structure of multiauthorities and exploiting attribute-based signature (ABS). The proposed scheme not only achieves scalability due to its hierarchical structure, but also inherits fine-grained access control with authentication in supporting write privilege on outsourced data in cloud computing. In addition, we decouple the task of policy management from security enforcement by using the extensible access control markup language (XACML) framework. Extensive analysis shows that our scheme is both efficient and scalable in dealing with access control for outsourced data in cloud computing.

Jiguo Li,Ruyuan Zhang,Yang Lu,Jinguang Han,Yichen Zhang,Wenzheng Zhang,Xinfeng Dong

DOI: https://doi.org/10.1109/jsyst.2022.3208149

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In order to alleviate key escrow issue, the notion of multiauthority attribute-based encryption (MA-ABE) was presented, which was widely applied in cloud storage environment. In data sharing environment, secure data deletion is very crucial and challenging issue. Hence, in this article, we concentrate on verification of data deletion operation, i.e., assuring data deletion. To solve this problem, we put forward a system model, formal definition and security model of MA-ABE for assuring data deletion. Furthermore, we design a MA-ABE scheme for assuring data deletion, which is more practicable than the single authority ABE scheme. The designed scheme not only overcomes key escrow issue, but also resists collusion attack between malicious user and unauthorized user. In addition, our scheme utilizes merkle hash tree to obtain verifiable data deletion. Based on decisional bilinear Diffie-Hellman (DBDH) assumption, the scheme is proven to be secure under the selective-policy model. The experimental result indicates that the designed scheme is efficient for practical application.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science