Jianwei Chen,Huadong Ma

DOI: https://doi.org/10.1109/CLOUD.2014.74

2014-01-01

Abstract:Along with a large amount of data being outsourced to the cloud, it is imperative to enforce a secure, efficient and privacy-aware access control scheme on the cloud. Decentralized Attribute-based Encryption (ABE) is a variant of multi-authority ABE scheme which is regarded as being more suited to access control in a large-scale cloud. Constructing a decentralized ABE scheme should not need a central Attribute Authority (AA) and any cooperative computing, where most schemes are not efficient enough. Moreover, they introduced a Global Identifier (GID) to resist the collusion attack from users, but corrupt AAs can trace a user by his GID, resulting in the leakage of the user's identity privacy. In this paper, we design a privacy-preserving decentralized access control framework for cloud storage systems, and propose a decentralized CP-ABE access control scheme with the privacy preserving secret key extraction. Our scheme does not require any central AA and coordination among multi-authorities. We adopt Pedersen commitment scheme and oblivious commitment based envelope protocols as the main cryptographic primitives to address the privacy problem, thus the users receive secret keys only for valid identity attributes while the AAs learn nothing about the attributes. Our theoretical analysis and extensive experiment demonstrate the presented scheme's security strength and effectiveness in terms of scalability, computation and storage.

Qian Xu,Chengxiang Tan,Zhijie Fan,Wenye Zhu,Ya Xiao,Fujia Cheng

DOI: https://doi.org/10.1109/access.2018.2844829

IF: 3.9

2018-01-01

IEEE Access

Abstract:Nowadays, secure data access control has become one of the major concerns in a cloud storage system. As a logical combination of attribute-based encryption and attribute-based signature, attribute-based signcryption (ABSC) can provide confidentiality and an anonymous authentication for sensitive data and is more efficient than traditional ``encrypt-then-sign”or ``sign-then-encrypt”strategies. Thus, ABSC is suitable for fine-grained access control in a semi-trusted cloud environment and is gaining more and more attention in recent years. However, in many previous ABSC schemes, user's sensitive attributes can be disclosed to the authority, and only a single authority that is responsible for attribute management and key generation exists in the system. In this paper, we propose PMDAC-ABSC, a novel privacy-preserving data access control scheme based on Ciphertext-Policy ABSC, to provide a fine-grained control measure and attribute privacy protection simultaneously in a multi-authority cloud storage system. The attributes of both the signcryptor and the designcryptor can be protected to be known by the authorities and cloud server. Furthermore, the decryption overhead for user is significantly reduced by outsourcing the undesirable bilinear pairing operations to the cloud server without degrading the attribute privacy. The proposed scheme is proven to be secure in the standard model and has the ability to provide confidentiality, unforgeability, anonymous authentication, and public verifiability. The security analysis, asymptotic complexity comparison, and implementation results indicate that our construction can balance the security goals with practical efficiency in computation.

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-030-05345-1_31

2018-01-01

Abstract:The emerging attribute-based access control (ABAC) mechanism is an expressive, flexible, and manageable authorization technique that is particularly suitable for current distributed, inconstant and complex service-oriented scenarios. Unfortunately, the inevitable disclosure of attributes that carry sensitive information bring significant risks to users' privacy, which obstructs the further development and popularization of the ABAC severely. In this paper, we propose an effective privacy-preserving ABAC (P-ABAC) scheme to defend against privacy leakage risks of users' attributes. In the P-ABAC approach, the necessary sensitive attributes are securely handled on the service requester side by using the homomorphic encryption method for privacy protection. And meanwhile, the service provider is still able to make accurate access decisions according to the received attribute ciphertext and pre-set policies with the help of the homomorphic encryption-based secure multi-party computation techniques, while learning no privacy information. The theoretical analysis proves that our model contributes to making an efficient and effective ABAC model with the enhanced privacy-protection feature.

Shan-Shan Tu,Shao-Zhang Niu,Meng-Jiao Li

DOI: https://doi.org/10.2478/cait-2013-0027

2013-01-01

Cybernetics and Information Technologies

Abstract:In order to keep the confidential data in the cloud against unauthorized parties, a cryptographic access control solution based on Attribute-Based Encryption (ABE) and Identity-Based Signature (IBS) is introduced in this paper. Under the premise that cloud service provider is untrustful, the proposed scheme can ensure the data security of the cloud storage system in an open environment, as well as reduce the complexity of management. Analysis and experimental results show that the scheme can be semantically secure against adaptive chosen ciphertext attacks under the random oracle model. Our concrete access control scheme can enhance the efficiency of the cloud to a certain extent.

Chanying Huang,Songjie Wei,Kedong Yan,Gongxuan Zhang,Anmin Fu

DOI: https://doi.org/10.23919/apsipa.2018.8659725

2018-01-01

Abstract:Cloud computing is a revolutionary information technology paradigm, which provides users with unlimited, scalable, low-cost and convenient resource services. Challenging security issues such as user privacy, access control, etc. still urgently need to be addressed. Authentication, as the first line of defence to guarantee cloud security, still faces great security and privacy challenges. Users' privacy is generally neglected during authentication. Some authentication solutions provide privacy preservation yet do not consider fine-grained access control. To solve this problem, existing authentication schemes applied bilinear pairing for authorized and fine-grained access to cloud data. However, efficiency is still an unsolved challenge for the bilinear pairing cryptography. To address the challenge, this paper proposes an efficient attribute-based authentication scheme. The proposed authentication scheme can achieve efficient fine-grained access control and privacy preservation as well. We conduct theoretical security analysis, and carry out experiments to prove that the proposed scheme has good performance in terms of computational, communication and storage overheads.

Yang Zhang,Jun-Liang Chen

DOI: https://doi.org/10.1109/ICDCSW.2012.65

2012-01-01

Abstract:With the rapid application of service-oriented technologies, service and data outsourcing has become a practical and useful computing paradigm. Combined use of access control and cryptography was proposed by many researchers to protect sensitive information in this outsourcing scenario. However, the rigid combination in existing approaches has difficulty in satisfying the flexibility requirement of access control for diverse applications. In this paper, we propose an access control service for public cloud storage, where authorization is controlled by the data owner, and the PDP (Policy Decision Point) and PEP (Policy Enforcement Point) can be securely delegated. In order to implement the service, an attribute-full proxy re-encryption scheme is presented as its corner stone. The other features of our service are as follows: simple key management without the need of key derivation for users to decrypt cipher texts, composing attributes for accessing resources with subject attributes' having inner structures, and authorization relatively separating from encryption. We also give some proofs and analysis of our implementation.

Jian Wang,Chunxiao Ye,Yangfei Ou

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00092

2019-01-01

Abstract:Cloud computing have brought a lot of advantages, such as reducing the hardware cost and providing a convenient cloud storage service. More and more people choose to put their private data in the cloud. However, due to data outsourcing and seminal-trusted cloud servers, data access control has becoming a challenging issue. To protect data security and privacy, some ciphertext policy attribute-based encryption (CP-ABE) schemes have been applied to cloud data access control. However, there are two dynamic issues, namely attribute revocation and policy updating, that need to be solved in the existing CP-ABE schemes. In this paper, we propose a fine-grained dynamic multi-authority cloud data access control scheme, which can solve the above two problems. Besides, our scheme can also support user revocation, which make it more practical. The analysis and simulation results show that our scheme is secure in the random oracle model and is efficient.

Hong Zhong,Wenlong Zhu,Yan Xu,Jie Cui

DOI: https://doi.org/10.1007/s00500-016-2330-8

2016-01-01

Abstract:For realizing the flexible, scalable and fuzzy fine-grained access control, ciphertext policy attribute-based encryption (CP-ABE) scheme has been widely used in the cloud storage system. However, the access structure of CP-ABE scheme is outsourced to the cloud storage server, resulting in the disclosure of access policy privacy. In addition, there are multiple authorities that coexist and each authority is able to issue attributes independently in the cloud storage system. However, existing CP-ABE schemes cannot be directly applied to data access control for multi-authority cloud storage system, due to the inefficiency for user revocation. In this paper, to cope with these challenges, we propose a decentralized multi-authority CP-ABE access control scheme, which is more practical for supporting the user revocation. In addition, this scheme can protect the data privacy and the access policy privacy with policy hidden in the cloud storage system. Here, the access policy that is realized by employing the linear secret sharing scheme. Finally, the security and performance analyses demonstrate that our scheme has high security in terms of access policy privacy and efficiency in terms of computational cost of user revocation.

Min Liang,Hui Zhang,Fei Gao,Hao Wang,Jun Wei,Ming Huang

DOI: https://doi.org/10.1109/iccsn.2019.8905252

2019-01-01

Abstract:The attribute-based encryption (ABE) mechanism enables fine-grained access control of sensitive data and data encryption. The ciphertext-policy ABE (CP-ABE) based on the ideal lattices has the advantages of small private key length and high computational efficiency Aiming at the multi-task parallel and multi-user access of Space Control Center, this paper analyzes the multi-user data access mode and data encryption key structure of Space Control Center and proposes a kind of ABE access control scheme based on ideal lattice in private cloud for Space Control Center. This paper also designs s targeted direct attribute revocation mechanism. Security analysis and program comparison were carried out. The analysis shows that the scheme can meet the multi-user access control requirements of Space Control Center, and the access control granularity meets the actual situation.

Rui Zhang,Peishuai Chen

DOI: https://doi.org/10.4156/IJIPM.VOL4.ISSUE1.13

2012-08-01

Abstract:The cloud storage services is a technology in cloud computing, which provides the online storage services for data owners over the Internet. It enables data owners to remotely store their data into a cloud so that to enjoy scalable services pay-on-demand. However, allowing the cloud servers to take care of the confidential data, which may bring many challenges for data security and access control. In order to achieve security, fine-grained and flexible access control for cloud storage services, we present a cryptographic access control scheme called CS-CACS based on encryption (CP-ABE), which is implemented based on the HDFS workstation. Meanwhile, we combine the proxy re-encryption and lazy re-encryption to make the cloud servers do most of re-encryption computing when the user's permission is revoked, which greatly reduces the computation cost of data owners. Our scheme has prominent properties of user access permission confidentiality and user secret key accountability. Performance analysis shows that the proposed scheme is efficient and security when the more users access data in the cloud storage.

Computer Science

Rui Luo,Yuanzhi Yao,Weihai Li,Nenghai Yu

DOI: https://doi.org/10.1007/978-3-031-06761-7_43

2022-01-01

Abstract:Cloud storage service has significant advantages on both cost reduction and convenient data sharing. It frees data owners from technical management. However, it poses new challenges on privacy and security protection. To protect data confidentiality and privacy of users against malicious entities in the cloud, fine-grained data access control in cloud storage has become a challenging issue and draws considerable investigation. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic technique to address the above issue. In many scenarios, access policies are associated with privacy and sensitive information of users which needs to be preserved from disclosure. However, existing schemes cannot simultaneously support time-sensitive data publishing and attribute information preservation. In this paper, we propose a privacy-preserving time and attribute factors combined cloud data access control with computation outsourcing scheme (named PTAC). To preserve attribute privacy, we design a dual access policy tree mechanism where one access policy tree is public and another is sensitive and hidden. Moreover, time-sensitive data publishing can be achieved by combining CP-ABE with timed-release encryption. By using edge computing and cloud computing, we also outsource partitive computational cost of encryption and decryption to third parties. Extensive security and performance analysis demonstrate the security and efficiency of our proposed scheme in cloud storage. As a result, valuable attribute information in the access policy can be preserved in case of disclosing to unauthorized recipients.

Meng Xian Yong,Chen Zhong,Meng Xiang Yu

DOI: https://doi.org/10.4028/www.scientific.net/amm.475-476.1144

2013-01-01

Applied Mechanics and Materials

Abstract:In this paper, a novel decentralized key-policy attribute-based signcryption (ABS) scheme is proposed, where each authority can generate secret-public key pair for the user independently without any cooperation and a centralized authority. In the proposed scheme, each authority can join or leave the system randomly without reinitializing the system, and issue secret-public keys to user respectively. Therefore, it is clear that the multi-authority attribute-based access control scheme can reduce the communication cost and the collaborative computing cost. Additionally, the attribute-based signcryption scheme is efficient in terms of both the identification authentication and the confidential communication, and can realize security secret sharing in cloud computing environments.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Leyou Zhang,Yilei Cui,Yi Mu

DOI: https://doi.org/10.1109/JSYST.2019.2911391

IF: 4.802

2020-01-01

IEEE Systems Journal

Abstract:Data sharing is a convenient and economic service supplied by cloud computing. Data contents privacy also emerges from it since the data is outsourced to some cloud servers. To protect the valuable and sensitive information, various techniques are used to enhance access control on the shared data. In these techniques, Ciphertext-policy attribute-based encryption (CP-ABE) can make it more convenient and secure. Traditional CP-ABE focuses on data confidentiality merely, while the user's personal privacy protection is an important issue at present. CP-ABE with hidden access policy ensures data confidentiality and guarantees that user's privacy is not revealed as well. However, most of the existing schemes are inefficient in communication overhead and computation cost. Moreover, most of those works take no consideration about authority verification or the problem of privacy leakage in authority verification phase. To tackle the problems mentioned above, a privacy preserving CP-ABE scheme with efficient authority verification is introduced in this paper. Additionally, the secret keys of it achieve constant size. Meanwhile, the proposed scheme achieves the selective security under the decisional n-BDHE problem and decisional linear assumption. The computational results confirm the merits of the presented scheme.

Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.14257/ijsia.2016.10.10.27

2016-01-01

International Journal of Security and Its Applications

Abstract:Nowadays, more and more users outsource their data to third party cloud storage servers for the purpose of sharing, so cloud data sharing becomes one of the popular services offered by cloud service providers. However, the third party storage servers in cloud data sharing systems, which are not fully trusted by data owners, make access control to the shared data a challenging issue. Although Ciphertext-Policy AttributeBased Encryption (CP-ABE) is an emerging cryptographic solution for this issue, dealing with dynamic changes to users' access privileges (attribute revocation) in its practical applications as cloud data sharing systems is a real challenge. To overcome this challenge, we propose a fine-grained access control scheme for cloud data sharing systems by designing secure and efficient attribute-revocable CP-ABE scheme. Our scheme only allows non-revoked users in the attribute group to update their secret key by themselves using their unique key-update keys and the ciphertexts are updated by minimally trusted cloud server using a ciphertext-update key. Compared with the existing access controls achieved by attribute-revocable CP-ABE schemes, our proposed access control scheme reduces the trust degree of the cloud server in the attribute revocation mechanism. Furthermore, the analysis indicates that our access control scheme is more secure and efficient to apply to practical scenarios.

Kaiping Xue,Yingjie Xue,Jianan Hong,Wei Li,Hao Yue,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2016.2647222

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data access control is a challenging issue in public cloud storage systems. Ciphertext-policy attribute-based encryption (CP-ABE) has been adopted as a promising technique to provide flexible, fine-grained, and secure data access control for cloud storage with honest-but-curious cloud servers. However, in the existing CP-ABE schemes, the single attribute authority must execute the time-consuming user legitimacy verification and secret key distribution, and hence, it results in a single-point performance bottleneck when a CP-ABE scheme is adopted in a large-scale cloud storage system. Users may be stuck in the waiting queue for a long period to obtain their secret keys, thereby resulting in low efficiency of the system. Although multiauthority access control schemes have been proposed, these schemes still cannot overcome the drawbacks of single-point bottleneck and low efficiency, due to the fact that each of the authorities still independently manages a disjoint attribute set. In this paper, we propose a novel heterogeneous framework to remove the problem of single-point performance bottleneck and provide a more efficient access control scheme with an auditing mechanism. Our framework employs multiple attribute authorities to share the load of user legitimacy verification. Meanwhile, in our scheme, a central authority is introduced to generate secret keys for legitimacy verified users. Unlike other multi-authority access control schemes, each of the authorities in our scheme manages the whole attribute set individually. To enhance security, we also propose an auditing mechanism to detect which attribute authority has incorrectly or maliciously performed the legitimacy verification procedure. Analysis shows that our system not only guarantees the security requirements but also makes great performance improvement on key generation.

Kaiping Xue,Weikeng Chen,Wei Li,Jianan Hong,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2018.2809679

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:People endorse the great power of cloud computing, but cannot fully trust the cloud providers to host privacy-sensitive data, due to the absence of user-to-cloud controllability. To ensure confidentiality, data owners outsource encrypted data instead of plaintexts. To share the encrypted files with other users, ciphertext-policy attribute-based encryption (CP-ABE) can be utilized to conduct fine-grained and owner-centric access control. But this does not sufficiently become secure against other attacks. Many previous schemes did not grant the cloud provider the capability to verify whether a downloader can decrypt. Therefore, these files should be available to everyone accessible to the cloud storage. A malicious attacker can download thousands of files to launch economic denial of sustainability (EDoS) attacks, which will largely consume the cloud resource. The payer of the cloud service bears the expense. Besides, the cloud provider serves both as the accountant and the payee of resource consumption fee, lacking the transparency to data owners. These concerns should be resolved in real-world public cloud storage. In this paper, we propose a solution to secure encrypted cloud storages from EDoS attacks and provide resource consumption accountability. It uses CP-ABE schemes in a black-box manner and complies with arbitrary access policy of the CP-ABE. We present two protocols for different settings, followed by performance and security analysis.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Li Kang,Leyou Zhang

2020-01-01

Abstract:The huge storage space and powerful computing power make cloud servers be the best place for people to store data. However, convenience comes with the risk of data leakage as the cloud servers are not completely reliable. To ensure data confidentiality and user privacy, decentralized attribute-based encryption (ABE) can provide a solu-tion. Nevertheless, most of existing works cannot provide a complete method since there are some vulnerabilities in users’ collusion resilience and privacy protection. In this paper, a decentralized ciphertext-policy (CP) ABE scheme is proposed for the secure sharing of data. In the proposed scheme, without requiring any cooperation and knowing users’ global identifiers (GID), authorities can issue private keys for users independently through a privacy-preserving key generation protocol. Additionally, this scheme supports policy anonymity. The security of the proposed scheme is reduced to the decisional bilinear Diffie-Hellman (DBDH) assumption. Theoretical analysis and performance evaluations illustrate the efficiency of the scheme.