Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.18293/seke2015-37

2015-01-01

Abstract:One primary challenge of applying access control methods in cloud computing is to ensure data security while supporting access efficiency, particularly when adopting multiple access control policies.Many existing works attempt to propose suitable frameworks and schemes to solve the problems, however, these proposals only satisfy specified use cases.In this paper, we take XACML as the policy language and build up a logical model.Based on this, we introduce the fine-grained data fragment algorithm to optimize the policies, whose resource property represents physical meaningful data blocks.Data are organized in a tree structure, where each leaf node represents a minimal physical meaningful data block, and internal nodes are combined data types.This method can eliminate conflicts and redundancies among rules and policies, thus to refine the policy set and achieve fine-grained access control.Our approach can also be applied to processing multi-types of data, and experiments are carried out to show the improvements of efficiencies.

Xinfeng Ye,Bakh Khoussainov

DOI: https://doi.org/10.1504/IJGUC.2013.056252

2013-01-01

Abstract:Fine-grained access control schemes are commonly used in cloud computing. In this type of schemes, each data item is given its own access control policy. The entity that wants to access the data item needs to provide its credentials to a policy enforcer. In a cloud environment, normally, the policy enforcer is not the owner of the data. The access control policies and the credentials might reveal some information that the policy enforcer is not entitled to know. This paper proposes a fine-grained access control scheme. It prevents the policy enforcers from comprehending the access control policies and the entities' credentials by using cryptographic techniques. Compared with the existing schemes, the proposed scheme provides higher level privacy.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Song Lingwei,Yu Fang,Zhang Ru,Niu Xinxin

DOI: https://doi.org/10.1016/s1005-8885(15)60637-9

2015-01-01

Abstract:Cloud computing is a developing computing paradigm in which resources of the computing infrastructure are provided as services over the network. Hopeful as it is, this paradigm also brings new challenges for data security and encryption storage when date owner stores sensitive data for sharing with untrusted cloud servers. When it comes to fine-grained data and scalable access control, a huge computation for key distribution and data management is required. In this article, we achieved this goal by exploiting and uniquely combining techniques of ciphertext-policy attribute-based encryption (CP-ABE), linear secret sharing schemes (LSSS), and counter (CTR) mode encryption. The proposed scheme is highly efficient by conducting the revocation on attribute level rather than on user level. The goals of data confidentiality and no collusion attack (even the cloud servers (CS) collude with users), as well as ones of fine-grainedness and scalability, are also achieved in our access structure.

Peng Zhao,Lifa Wu,Zheng Hong,He Sun

DOI: https://doi.org/10.23919/jcc.2019.09.017

2019-01-01

China Communications

Abstract:Multicloud access control is important for resource sharing and security interoperability across different clouds, and heterogeneity of access control policy is an important challenge for cloud mashups. XACML is widely used in distributed environment as a declaratively fine-grained, attribute-based access control policy language, but the policy integration of XACML lacks formal description and theory foundation. Multicloud Access Control Policy Integration Framework (MACPIF) is proposed in the paper, which consists of Attribute-based Policy Evaluation Model (ABPEM), Four-value Logic with Completeness (FLC) and Four-value Logic based Policy Integration Operators (FLPIOs). ABPEM evaluates access control policy and extends XACML decision to four-value. According to policy decision set and policy integration characteristics, we construct FLC and define FLPIOs including Intersection, Union, Difference, Implication and Equivalence. We prove that MACPIF can achieve policy monotonicity, functional completeness, canonical suitability and canonical completeness. Analysis results show that this framework can meet the requirements of policy integration in Multicloud.

Dinh Tien Tuan Anh,Wang Wenqiang,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.1108.3915

2011-09-22

Abstract:Sharing data from various sources and of diverse kinds, and fusing them together for sophisticated analytics and mash-up applications are emerging trends, and are prerequisites for grand visions such as that of cyber-physical systems enabled smart cities. Cloud infrastructure can enable such data sharing both because it can scale easily to an arbitrary volume of data and computation needs on demand, as well as because of natural collocation of diverse such data sets within the infrastructure. However, in order to convince data owners that their data are well protected while being shared among cloud users, the cloud platform needs to provide flexible mechanisms for the users to express the constraints (access rules) subject to which the data should be shared, and likewise, enforce them effectively. We study a comprehensive set of practical scenarios where data sharing needs to be enforced by methods such as aggregation, windowed frame, value constrains, etc., and observe that existing basic access control mechanisms do not provide adequate flexibility to enable effective data sharing in a secure and controlled manner. In this paper, we thus propose a framework for cloud that extends popular XACML model significantly by integrating flexible access control decisions and data access in a seamless fashion. We have prototyped the framework and deployed it on commercial cloud environment for experimental runs to test the efficacy of our approach and evaluate the performance of the implemented prototype.

Databases,Networking and Internet Architecture

Yong Wang,Long-Xing Wei,Chang-Zhen Hu,Xiao-Lin Zhao

2014-01-01

Abstract:CP-ABE (Cipher-text Policy Attribute Based Encryption) can help providing reliable, fine-grained access control in untrusted cloud storage environment, since users can access to data files only if their attributes satisfy the access policies associated with the files. However, CP-ABE has two main drawbacks: its policies are not expressed using standard languages and it can't support non-monotonic policies. So we extended CP-ABE to support XACML (eXtensible Access Control Markup Language) based policy transformation and to support logical NOT in policies through De Morgan's Laws. And then we applied it to a secure overlay cloud storage system called FADE to deploy access control for Amazon S3 cloud storage service. The simulation results show that our proposal is practical and time efficient.

Aijuan Zhang,Jingxiang Gao,Cheng Ji

DOI: https://doi.org/10.4028/www.scientific.net/AMR.225-226.848

2011-01-01

Abstract:Distributed applications often require integrating security policies of collaborating parties. The integration must be able to support complex authorization specifications and the fine-grained resources access requirements that the various parties may have. But now security modeling is not considered as a vital part in software development. In this paper, it is proposed to integrate the design of access control policy into software development. In this paper, UML is used to model access control policy, and then a framework is designed to generate the security model result expressed in XACML and to verify the policy correct and complete.

Mounira Msahli,Xiuzhen Chen,Ahmed Serhrouchni

DOI: https://doi.org/10.1109/ICEBE.2014.56

2014-01-01

Abstract:The centerpiece of an efficient Cloud security architecture is a well-defined access control policy. In literature we can find several access control models such as the Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC) and the latest one Usage Control Authorization, oBligation and Condition (UCONABC). The UCONABC is very suitable for the context of distributed systems like cloud computing but it doesn't give any implementation method. In this paper we define the profile centric model using graph formalism and its implementation using matrix. We define the profile as the combination of all possible authorization, obligation, condition, role, etc... and other access parameters like attributes that we can found in Cloud system. We discuss its application using three matrixes (profile definition, profile inheritance and user assignment). Profile centric modeling is an optimum paradigm to define access control policy in complex distributed and elastic system like cloud computing. The proposed solution is validated and implemented over Hadoop distributed file system in the context of Safe Box as a service.

E. Chen,Yan Zhu,Kaitai Liang,Hongjian Yin

DOI: https://doi.org/10.1109/tcc.2021.3104323

IF: 5.697

2021-01-01

IEEE Transactions on Cloud Computing

Abstract:The increasing popularity of remote Cloud File Sharing (CFS) has become a major concern for privacy breach of sensitive data. Aiming at this concern, we present a new resource sharing framework by integrating enterprise-side Attribute-Based Access Control/eXtensible Access Control Markup Language (ABAC/XACML) model, client-side Ciphertext-Policy Attribute-Based Encryption (CP-ABE) scheme, and cloud-side CFS service. Moreover, the framework workflow is provided to support the encrypted-file writing and reading algorithms in accordance with ABAC/XACML-based access policy and attribute credentials. However, an actual problem of realizing this framework is that policy matrix, derived from access policy, seriously affects the performance of existing CP-ABE from Lattice (CP-ABE-L) schemes. To end it, we present an optimal generation algorithm of Small Policy Matrix (SPM), which only consists of small elements, and generates an all-one reconstruction vector. Based on such a matrix, the improved CP-ABE-L scheme is proposed to reduce the cumulative errors to the minimum and prevent the enlargement of error bounds. Furthermore, we give the optimal estimation of system parameters to implement a valid Error Proportion Allocation (EPA). Our experimental results indicate that our scheme has short size of parameters and enjoys efficient computation and storage overloads. Thus, our new framework with optimization methods is conducive to enhancing the security and efficiency of remote work on CFS.

Wen Qiang Wang,Dinh Tien Tuan Anh,Hock Beng Lim,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.1205.6349

2012-06-01

Abstract:The proliferation of sensing devices create plethora of data-streams, which in turn can be harnessed to carry out sophisticated analytics to support various real-time applications and services as well as long-term planning, e.g., in the context of intelligent cities or smart homes to name a few prominent ones. A mature cloud infrastructure brings such a vision closer to reality than ever before. However, we believe that the ability for data-owners to flexibly and easily to control the granularity at which they share their data with other entities is very important - in making data owners feel comfortable to share to start with, and also to leverage on such fine-grained control to realize different business models or logics. In this paper, we explore some basic operations to flexibly control the access on a data stream and propose a framework eXACML+ that extends OASIS's XACML model to achieve the same. We develop a prototype using the commercial StreamBase engine to demonstrate a seamless combination of stream data processing with (a small but important selected set of) fine-grained access control mechanisms, and study the framework's efficacy based on experiments in cloud like environments.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Tonglai Liu,Jigang Wu,Jiaxing Li,Jingyi Li,Yidong Li

DOI: https://doi.org/10.1002/cpe.6383

2021-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryAccess control is an important technique in information security that allows legitimate users to gain access to and prevent unauthorized users from getting access to resources in a system. The restriction between access from a user and a shared file of the data owner can be determined by the access policy. In most existing access control models, it is assumed that all entities, including users, the third party, and cloud service provider (CSP), are in the same trust domain. However, in cloud computing environments, it is usually assumed that the CSP cannot be fully trusted, and the data owner (DO) is desired to have the absolute initiative to control data access. This article proposes a blockchain‐based access control scheme for cloud computing, in which the DO maintains an access matrix to describe the access policy. Then, the public keys of all nodes and the access matrix are stored in the blockchain, to ensure the security of the proposed scheme. The DOs can encrypt the large shared files once using a symmetric key in a long time. And they also can encrypt the symmetric key in parallel using the public key of authorized users in a short time. Security analysis proves that the proposed scheme is able to prevent outsourced files from unauthorized access and collusion attack. Experimental results show that the proposed scheme outperforms the existing baselines in terms of overheads on computation and storage. On average, the computation overhead of the proposed scheme is lower than that of the scheme SVPAC, PpBAC, and Timely CP‐ABE by 25.37%, 45.46%, and 36.44%, respectively. The communication overhead of the proposed scheme is lower than that of the scheme Timely CP‐ABE by 17.16%, and it is more secure, although it is higher than that of the scheme SVPAC and PpBAC by 5.88% and 39.05%. And the storage overhead of the proposed scheme is lower than that of the scheme SVPAC, PpBAC, and Timely CP‐ABE by 59.36%, 20.25%, and 61.88%, respectively.

Xiao-Yong Li,Yong Shi,Yu Guo,Wei Ma

DOI: https://doi.org/10.1109/cise.2010.5677061

2010-01-01

Abstract:Though cloud computing has many advantages, it still faces a big challenge of security and privacy problem. This problem is also an obstacle to cloud computing since no one is willing to run his businesses in facilities he has no control over it. Moreover, since cloud computing is a multi-tenancy IT service mode, there should be a capability to compartmentalize different customers in cloud facilities; therefore, security duty separation between CSP and customers must be supported in cloud. However, this security duty separation is not common in traditional security mechanisms. Multi-tenancy based access control model (MTACM) was designed to embed the security duty separation principle in cloud; it was a two granule level access control mechanism, one was tenant granule for CSP to compartmentalize different customers, the other was application granule for customers to control the access to their own applications. MTACM was technically and practically feasible. A prototype introduced in this paper showed that MTACM has a good performance.

Luokai Hu,Shi Ying,Xiangyang Jia,Kai Zhao

DOI: https://doi.org/10.1007/978-3-642-10665-1_13

2009-01-01

Abstract:With the development of cloud computing, the mutual understandability among distributed Access Control Policies (ACPs) has become an important issue in the security field of cloud computing. Semantic Web technology provides the solution to semantic interoperability of heterogeneous applications. In this paper, we analysis existing access control methods and present a new Semantic Access Control Policy Language (SACPL) for describing ACPs in cloud computing environment. Access Control Oriented Ontology System (ACOOS) is designed as the semantic basis of SACPL. Ontology-based SACPL language can effectively solve the interoperability issue of distributed ACPs. This study enriches the research that the semantic web technology is applied in the field of security, and provides a new way of thinking of access control in cloud computing.

Jin Li,Gansen Zhao,Xiaofeng Chen,Dongqing Xie,Chunming Rong,Wenjun Li,Lianzhang Tang,Yong Tang

DOI: https://doi.org/10.1109/cloudcom.2010.44

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which IT resources and capacities are provided as services over the Internet. Promising as it is, this paradigm also brings forth new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are likely outside of the same trust domain of data owners. To maintain the confidentiality of, sensitive user data against untrusted servers, existing work usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. In this paper, we present a way to implement, scalable and fine-grained access control systems based on attribute-based encryption (ABE). For the purpose of secure access control in cloud computing, the prevention of illegal key sharing among colluding users is missing from the existing access control systems based on ABE. This paper addresses this challenging open issue by defining and enforcing access policies based on data attributes and implementing user accountability by using traitor tracing. Furthermore, both the user grant and revocation are efficiently supported by using the broadcast encryption technique. Extensive analysis shows that the proposed scheme is highly efficient and provably secure under existing security models.

Nguyen Minh Hoang,Ha Xuan Son

DOI: https://doi.org/10.1145/3309074.3309097

2019-01-01

Abstract:Access control is a security technique that specifies access rights to resources in a cloud computing environment. As information in cloud systems nowadays become more complex, it plays an important role in authenticating and authorizing users and preventing an attacker from targeting sensitive information. However, in recent years, with the popularity of the Internet as social network, IoTs which deploy in cloud platforms for sharing data in real-time, more and more challenges have been exposed. For example, the access control mechanism must be able to guarantee fine-grained access control, privacy protection, conflicts and redundancies handle between rules of the same policy or between different policies. In this paper, we proposed an access control model based on attribute that incorporates a policy model based on the combining algorithm and prioritization of functions to resolve conflicts at a fine-grained level called "Dynamic model for fine-grained policy conflict resolution". Experiments are carried out to illustrate the relationship between the processing time for the traditional approach (single policy, multi-policy without priority) and our approach (multi-policy with priority). Experimental results show that the evaluation performance satisfies the privacy requirements defined by the user.

Su Huang,Yuan Luo

DOI: https://doi.org/10.1049/cp.2014.1263

2014-01-01

Abstract:Cloud storage services enable users to remotely store their data and conveniently share their information. One critical issue is how to achieve data security and realize data access policy in cloud storage services. Existing schemes based on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) have been proposed to achieve secure access control for outsourced data in cloud computing. However, due to the inefficiency of decryption and the inflexibility, most of these schemes are not suitable to realize distributed access control for cloud storage systems. In this paper, we propose a fully distributed, scalable and effective data access control scheme to encrypt and decrypt data, which bases on the lowest density maximum distance separable (LD-MDS) code.The introduction of the LD-MDS code in this field improves performance greatly in decryption stage. Security analysis indicates that the proposed scheme is secure and achieves fine-grained access control, collusion resistant, backward security and forward security simultaneously. Extensive performance analysis and experiment show that our scheme is much more efficient than existing CP-ABE system in cloud storage services.

E. Chen,Yan Zhu,Guizhen Zhu,Kaitai Liang,Rongquan Feng

DOI: https://doi.org/10.1016/j.cose.2021.102318

IF: 5.105

2021-01-01

Computers & Security

Abstract:The stunning growth of Internet users through Cloud File Sharing (CFS) is raising great concerns about unprecedented cloud security and privacy breach. Also, the recent breakthrough in quantum computing further reinforces this kind of concerns, thus we exploit an efficient solution to guarantee personal privacy and resist quantum attacks in the CFS service. In our solution, we integrate the Attribute-based Access Control/eXtensible Access Control Markup Language (ABAC/XACML) model and the Ciphertext-Policy Attribute-Based Encryption (CPABE) into the CFS. To improve the performance of CP-ABE, we make use of an optimization method to convert the ABAC/XACML policy into a Small Policy Matrix (SPM). We further prove that this matrix has small coefficients and generates an all-one reconstruction vector, such that it reduces the cumulative error in lattice cryptosystem to the minimum. By using the SPM, we design a new CP-ABE scheme from Lattice (CP-ABE-L) to prevent the enlargement of error bounds. We also give the optimal estimation of system parameters, which satisfy three lattice-generation conditions to implement a valid Error Proportion Allocation (EPA). Our scheme is proved secure against chosen-plaintext attack with a selective attribute set under the Decision Learning with Errors (DLWE) assumption in the standard model. The performance evaluation and analyses illustrate that our scheme not only has short parameters, but also maintains efficient computation and reasonable storage overloads. (c) 2021 Elsevier Ltd. All rights reserved.

Qinlong Huang,Nan Li,Yixian Yang

DOI: https://doi.org/10.1109/glocom.2018.8648113

2018-01-01

Abstract:Data collaboration is more and more popular in cloud computing. In a typical collaboration scenario, data owner outsources the data to cloud platforms, and users can access and re-upload the data. In consideration of the semi-trusted cloud platform, attribute-based encryption (ABE) has been utilized to guarantee data confidentiality and fine-grained access control. However, how to allow the collaborative data to be accessed only by authorized users in a flexible and dynamic manner is a challenging problem. In this paper, we propose DACSC, a dynamic and fine-grained access control scheme for secure data collaboration in cloud computing. First of all, we adopt ciphertext-policy ABE technique to define the original access policy of outsourced data. Second, we introduce a tree-based policy extending framework which allows users who satisfy the original access policy to customize a new access policy and add it to current access policies in a non-restrictive or restrictive way. Furthermore, we achieve integrity checking during the policy extending procedure based on ABE with equality test algorithm, which ensures that the added access policy comes from authorized user. The security analysis and experimental results indicate that DACSC is secure and efficient, and is suitable for the data collaboration scenario in cloud computing.