Nyamsuren Vaanchig,Wei Chen,Zhiguang Qin

DOI: https://doi.org/10.14257/ijsia.2016.10.10.27

2016-01-01

International Journal of Security and Its Applications

Abstract:Nowadays, more and more users outsource their data to third party cloud storage servers for the purpose of sharing, so cloud data sharing becomes one of the popular services offered by cloud service providers. However, the third party storage servers in cloud data sharing systems, which are not fully trusted by data owners, make access control to the shared data a challenging issue. Although Ciphertext-Policy AttributeBased Encryption (CP-ABE) is an emerging cryptographic solution for this issue, dealing with dynamic changes to users' access privileges (attribute revocation) in its practical applications as cloud data sharing systems is a real challenge. To overcome this challenge, we propose a fine-grained access control scheme for cloud data sharing systems by designing secure and efficient attribute-revocable CP-ABE scheme. Our scheme only allows non-revoked users in the attribute group to update their secret key by themselves using their unique key-update keys and the ciphertexts are updated by minimally trusted cloud server using a ciphertext-update key. Compared with the existing access controls achieved by attribute-revocable CP-ABE schemes, our proposed access control scheme reduces the trust degree of the cloud server in the attribute revocation mechanism. Furthermore, the analysis indicates that our access control scheme is more secure and efficient to apply to practical scenarios.

Jialu Hao,Cheng Huang,Jianbing Ni,Hong Rong,Ming Xian,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1016/j.comnet.2019.02.008

IF: 5.493

2019-01-01

Computer Networks

Abstract:Ciphertext-policy attribute-based encryption (CP-ABE) is a promising approach to achieve fine-grained access control over the outsourced data in Internet of Things (IoT). However, in the existing CP-ABE schemes, the access policy is either appended to the ciphertext explicitly or only partially hidden against public visibility, which results in privacy leakage of the underlying ciphertext and potential recipients. In this paper, we propose a fine-grained data access control scheme supporting expressive access policy with fully attribute hidden for cloud-based IoT. Specifically, the attribute information is fully hidden in access policy by using randomizable technique, and a fuzzy attribute positioning mechanism based on garbled Bloom filter is developed to help the authorized recipients locate their attributes efficiently and decrypt the ciphertext successfully. Security analysis and performance evaluation demonstrate that the proposed scheme achieves effective policy privacy preservation with low storage and computation overhead. As a result, no valuable attribute information in the access policy will be disclosed to the unauthorized recipients.

Kan Yang,Qi Han,Hui Li,Kan Zheng,Zhou Su,Xuemin Shen

DOI: https://doi.org/10.1109/JIOT.2016.2571718

IF: 10.6

2017-01-01

IEEE Internet of Things Journal

Abstract:How to control the access of the huge amount of big data becomes a very challenging issue, especially when big data are stored in the cloud. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising encryption technique that enables end-users to encrypt their data under the access policies defined over some attributes of data consumers and only allows data consumers whose attributes sat...

Rui Chang,Liehui Jiang,Wenzhi Chen,Hong-qi He,Shuiqiao Yang,Hang Jiang,Wei Liu,Yong Liu

DOI: https://doi.org/10.1002/cpe.4180

2018-01-01

Abstract:This paper discusses security issues on the user equipment, which is the last mile of social networks. One of the main Achilles' heel of social networks is not the organization of networks themselves, but the user devices, typically Android ones. The existing system of privileges makes it easy to infiltrate the network via applications installed on users' devices. Conventional signature-based and static analysis methods are vulnerable. Access to privacy- and security-relevant parts of the application programming interface is controlled by the corresponding permission in a manifest file. While requesting access to permissions, it may offer opportunities to malicious codes, which will cause security issues. Few works among permission analysis, however, pay attention to the prevention of permission leakage on both hardware and software frameworks. In this paper we tackle the challenge of providing our multilayered permission-based security extension scheme on Android platforms. We propose a usage and access control model and an effective method of preventing permission leakage based on ARM TrustZone security extension mechanism. In contrast to previous work, the proposed security architecture provides a permission-based mandatory access control on Android middleware, Linux kernel, and hardware layers. The evaluation results demonstrate the effectiveness of the proposed scheme in mitigating permission leakage vulnerabilities.

Xingbing Fu,Fagen Li,Shengke Zeng

DOI: https://doi.org/10.14257/ijfgcn.2016.9.1.25

2016-01-01

International Journal of Future Generation Communication and Networking

Abstract:In this work, an oblivious transfer with complex access control scheme that is constructed based on ciphertext policy attribute based encryption (CP-ABE) scheme is proposed. In this scheme, the database server can enforce fine grained access control for each record where the authorized user is allowed to access, but the unauthorized user cannot, whereas it learns neither which record a user accesses, nor which attributes a user has. This scheme has the advantages as follows: First, it allows the expressive access control policies where access structures are based on linear secret sharing scheme that directly supports AND, OR and Threshold gates. Second, the communication complexity in this scheme is constant in the numbers of records which have been accessed. Third, this scheme is constructed in prime order bilinear group. Fourth, this scheme is secure in the standard model. To the best of our knowledge, this scheme is the first to obtain these features simultaneously.

Xinfeng Ye,Bakh Khoussainov

DOI: https://doi.org/10.1504/IJGUC.2013.056252

2013-01-01

Abstract:Fine-grained access control schemes are commonly used in cloud computing. In this type of schemes, each data item is given its own access control policy. The entity that wants to access the data item needs to provide its credentials to a policy enforcer. In a cloud environment, normally, the policy enforcer is not the owner of the data. The access control policies and the credentials might reveal some information that the policy enforcer is not entitled to know. This paper proposes a fine-grained access control scheme. It prevents the policy enforcers from comprehending the access control policies and the entities' credentials by using cryptographic techniques. Compared with the existing schemes, the proposed scheme provides higher level privacy.

Jiguo Li,Yichen Zhang,Jianting Ning,Xinyi Huang,Geong Sen Poh,Debang Wang

DOI: https://doi.org/10.1109/tcc.2020.2975184

IF: 5.697

2020-01-01

IEEE Transactions on Cloud Computing

Abstract:The pervasive, ubiquitous, and heterogeneous properties of IoT make securing IoT systems a very challenging task. More so when access and storage are performed through a cloud-based IoT system. IoT data stored on cloud should be encrypted to ensure data privacy. It is also crucial to allow only authorized entities to access and decrypt the encrypted data. In this article, we propose a ciphertext-policy attribute-based encryption (CP-ABE) scheme that enables fine-grained access control of encrypted IoT data on cloud. CP-ABE is regarded as a highly promising approach to provide flexible and fine-grained access control, which is quite suited to secure cloud based IoT systems. We first present an access control system model of CloudIoT platform based on ABE. Based on the presented system model, we construct a ciphertext-policy hiding CP-ABE scheme, which guarantees the privacy of the users. We further construct a white-box traceable CP-ABE scheme with accountability in order to address the user key abuse and authorization center key abuse. Experiment illustrates the proposed systems are efficient.

computer science, information systems, theory & methods

Yi Wu,Wei Zhang,Hu Xiong,Zhiguang Qin,Kuo-Hui Yeh

DOI: https://doi.org/10.1007/s11042-021-11286-0

IF: 2.577

2021-01-01

Multimedia Tools and Applications

Abstract:With the universality and availability of Internet of Things (IoT), data privacy protection in IoT has become a hot issue. As a branch of attribute-based encryption (ABE), ciphertext policy attribute-based encryption (CP-ABE) is widely used in IoT to offer flexible one-to-many encryption. However, in IoT, different mobile devices share messages collected, transmission of large amounts of data brings huge burdens to mobile devices. Efficiency is a bottleneck which restricts the wide application and adoption of CP-ABE in Internet of things. Besides, the decryption key in CP-ABE is shared by multiple users with the same attribute, once the key disclosure occurs, it is non-trivial for the system to tell who maliciously leaked the key. Moreover, if the malicious mobile device is not revoked in time, more security threats will be brought to the system. These problems hinder the application of CP-ABE in IoT. Motivated by the actual need, a scheme called traceable and revocable ciphertext policy attribute-based encryption scheme with constant-size ciphertext and key is proposed in this paper. Compared with the existing schemes, our proposed scheme has the following advantages: (1) Malicious users can be traced; (2) Users exiting the system and misbehaving users are revoked in time, so that they no longer have access to the encrypted data stored in the cloud server; (3) Constant-size ciphertext and key not only improve the efficiency of transmission, but also greatly reduce the time spent on decryption operation; (4) The storage overhead for traceability is constant. Finally, the formal security proof and experiment has been conducted to demonstrate the feasibility of our scheme.

Jie Cui,Xuelian Chen,Jing Zhang,Qingyang Zhang,Hong Zhong

DOI: https://doi.org/10.1109/jiot.2020.3041860

IF: 10.6

2021-05-15

IEEE Internet of Things Journal

Abstract:A connected and autonomous vehicle (CAV) is often fitted with a large number of onboard sensors and applications to support autonomous driving functions. Based on the current research, little work on applications' access to in-vehicle data has been done. Furthermore, most existing autonomous driving operating systems lack authentication and encryption units. As such, applications can excessively obtain confidential information, such as vehicle location and owner preferences and even upload it to the cloud, threatening the security of the vehicle and the privacy of the owner. In this study, we propose a fine-grained access control scheme to restrict applications' access to data in CAVs (FGAC-inCAVs). First, we present a system model composed of the following elements: a trusted third party (TTP), which is a fully trusted authority; perception components like sensors, which can capture the road information (pictures, videos, etc.); and multiple applications. Then, a fast attribute-based encryption (ABE) is presented, and security analysis also shows it is secure against selective and chosen-plaintext attacks. Furthermore, we propose a key update scheme based on the Chinese remainder theorem (CRT). Finally, the theoretical analysis and simulation experiments demonstrate its feasibility and efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jianfei Sun,Hu Xiong,Ximeng Liu,Yinghui Zhang,Xuyun Nie,Robert H. Deng

DOI: https://doi.org/10.1109/JIOT.2020.2974257

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:With the booming of Internet of Things (IoT), smart health (s-health) is becoming an emerging and attractive paradigm. It can provide an accurate prediction of various diseases and improve the quality of healthcare. Nevertheless, data security and user privacy concerns still remain issues to be addressed. As a high potential and prospective solution to secure IoT-oriented s-health applications, ciphertext policy attribute-based encryption (CP-ABE) schemes raise challenges, such as heavy overhead and attribute privacy of the end users. To resolve these drawbacks, an optimized vector transformation approach is first proposed to efficiently transform the access policy and user attribute set into respective vectors of shorter length while other approaches result in redundant and longer vectors. Our transformation approach can greatly relieve the costly overheard of key generation, encryption, and decryption phases. Then, based on the transformation approach and the offline/online computation technology, we propose a lightweight policy-hiding CP-ABE scheme for the IoT-oriented s-health application. With our proposed scheme, data users in the s-health system can perform lightweight encryption and decryption without leaking any sensitive privacy about the attributes of the user. Finally, the formal security analysis, the theoretic performance evaluation and experiment results indicate that the solution is secure and efficient.

Jiaoli Shi,Chao Hu,Shimao Yao,Zhuolin Mei,Bin Wu,Hui Li

DOI: https://doi.org/10.1109/icpads60453.2023.00413

2023-01-01

Abstract:Efficiency, security, and flexibility are difficult to balance in a full policy hiding CP-ABE scheme. This paper creatively converts the privacy matching problem of access policy and a user’s private key to the privacy three-party set computation problem. Then the new privacy set computation problem is resolved by a message driven key generation method. Additionally, the ROBDD (Reduced Ordered Binary Decision Diagrams) is utilized to rich access structure expression and convert access policies into feasible path sets. Each feasible path is composed of attributes and these attributes are bound to the ciphertext using CP-ABE. Based on the innovative ideas mentioned above, we present a Lighten Fine-grained Access Control scheme supporting Full Policy Hidden (LFAC-FPH) that integrates data confidentiality protection, access policy rich expression but complete hiding, fine-grained access control, and lightweight terminal computing. Our scheme has three advantages: 1) High Efficiency. The proposed scheme can achieve fast privacy matching of access policies during user decryption. 2) Full Policy Hiding. The access policy bound by an owner on the ciphertext does not leak any information. Moreover, a user cannot know attributes they do not own. 3) High Flexibility. The decryption process does not require online from owners or KGC, and system attributes can be added at any time.

Amir Mohammad Naseri,Walter Lucia,Mohammad Mannan,Amr Youssef

DOI: https://doi.org/10.1109/icas49788.2021.9551155

2021-08-11

Abstract:Recently, cloud control systems have gained increasing attention from the research community as a solution to implement networked cyber-physical systems (CPSs). Such an architecture can reduce deployment and maintenance costs albeit at the expense of additional security and privacy concerns. In this paper, first, we discuss state-of-the-art security solutions for cloud control systems and their limitations. Then, we propose a novel control architecture based on Trusted Execution Environments (TEE). We show that such an approach can potentially address major security and privacy issues for cloud-hosted control systems. Finally, we present an implementation setup based on Intel Software Guard Extensions (SGX), and validate its effectiveness on a testbed system.

Qi Li,Bin Xia,Haiping Huang,Yinghui Zhang,Tao Zhang

DOI: https://doi.org/10.1109/tii.2021.3109090

IF: 12.3

2022-05-01

IEEE Transactions on Industrial Informatics

Abstract:Mobile healthcare (mHealth) enables people to collect and share their personal health records (PHRs) and gain rapid medical treatment via mobile 5G-enabled Industrial Internet of Things (IIoT) devices, which also brings the challenge of keeping the PHRs confidentiality and preventing unauthorized access. By the emerging ciphertext-policy attribute-based encryption (CP-ABE), the PHR owner can encrypt his/her PHR data under self-defined access policies. However, existing CP-ABE schemes are suffering from either heavy computation cost and storage overhead or traitor tracing and direct revocation. In this article, we propose an efficient, traceable, and revocable access control scheme named TRAC for mHealth in 5G-enabled IIoT. In TRAC, the ciphertext is composed of the attribute-relevant ciphertext encrypted under an and-gate access structure and the identity-relevant ciphertext associated with some potential receivers. The malicious user who leaks his/her privilege to unauthorized entities will be precisely tracked and added in the revocation list, by which the cloud server can update the identity-relevant ciphertext by itself. The length of final ciphertext and the time of bilinear pairing operations used in decryption are constant. The security analysis and performance evaluation indicate the security, efficiency, and practicality of TRAC.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Wei Wang,Tao Zhou,Weili Han

DOI: https://doi.org/10.3969/j.issn.1000-386x.2016.08.067

2016-01-01

Abstract:Sensitive data and perception capacities in Android devices face severe security threats.Current security mechanism cannot efficiently protect the sensitive data of users and perception capacity of devices,because it only provides a coarse-grained access control on application level.Therefore,this paper proposes an access control enhancement mechanism for sensitive data and capacities in Android, which is based on cryptography and fine-grained security policy drive.First,with the help of key management and fine-grained encryption policy,it leverages a high-strength symmetric encryption algorithm to encrypt the sensitive data and this solves the secure storage problem of sensitive data;Then,the mechanism leverages a fine-grained security policy-based access control mechanism to control the access privilege of perception capacities on layer of Android platform to reach the goal of perception data protection.Through prototype system and performance testing,the proposed access control enhancement mechanism for sensitive data and capacity of Android is able to operate on current Android platform with acceptable performance.

Tao Ye,Yongquan Cai,Xu Zhao,Yongli Yang,Wei Wang,Yi Zhu

DOI: https://doi.org/10.1504/ijwmc.2019.097424

2019-01-01

Abstract:The CP-ABE-based access control scheme, which can better realise the access control of many-to-multi-ciphertext shared in the cloud storage architecture, is still facing the problems that the system cost is too large, and the policy attribute revocation or restore is not flexible. This paper proposes an efficient access control scheme based on CP-ABE with supporting attribute change in cloud storage system. The fine-grained access control can be achieved by re-encryption mechanism which takes the minimum shared re-encryption key for policy attribute set. And then the access structure tree is expanded by creating a corresponding virtual attribute for each leaf node attribute. The analysis results of the scheme indicate that the efficient and flexibility of the attribute change is not only improved, but also the system cost is reduced.

Xiong Li,Tian Liu,Chaoyang Chen,Qingfeng Cheng,Xiaosong Zhang,Neeraj Kumar

DOI: https://doi.org/10.1109/jiot.2022.3165576

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:As an extension of cloud computing, edge computing has attracted the attention of academia and industry because of its characteristics of low latency, high bandwidth, and low energy consumption. However, due to limited terminal resources and insufficient security design, the edge computing environment still faces many challenges in terms of data security and privacy protection. Among them, how to effectively control access to outsourced data is one of the main issues. In this article, we propose a lightweight and verifiable ciphertext-policy attribute-based encryption (CP-ABE)-based multiauthority access control scheme for edge computing-assisted Internet of Things (IoT), which adopts the method of outsourcing decryption to mitigate the computational cost of data users with limited resources. In addition, our scheme realizes the feature of attribute revocation, and the design of the multiauthority mechanism enables our scheme to avoid the problem of key escrow. Therefore, our proposed scheme not only ensures data confidentiality but also can resist the collusion attack. Besides, our scheme is secure against the chosen plaintext attack in the random oracle model under the decision $q$ -BDHE assumption. Finally, we compared our scheme with some related work in performance, and the results demonstrate that our scheme is efficient in computation and communication. Because our scheme greatly mitigates the overhead of data users, it is very suitable for edge computing supported IoT applications with restricted computation resources.

Hui Tian,Xiang Li,Hanyu Quan,Chin-Chen Chang,Thar Baker

DOI: https://doi.org/10.1109/jsen.2020.3030688

IF: 4.3

2021-07-15

IEEE Sensors Journal

Abstract:The Intelligent Transportation System (ITS) provides more possibilities for the realization of smart cities by integrating the Internet of Things (IoT) and cloud computing. However, how to ensure security of IoT data stored in the cloud has become one of the biggest challenges at present. As a promising solution for realizing fine-grained access control, Ciphertext-Policy Attribute-Based Encryption (CP-ABE) can be used to ensure data security. However, the traditional CP-ABE schemes may leak privacy of ITS users. Moreover, due to their high computational overheads, the current privacy-preserving techniques are not suitable for IoT lightweight devices. To fill this gap, this article presents ABE-FPP, a lightweight attribute-based access control scheme with full privacy protection (FPP), which can achieve full privacy protection in the three key stages (i.e., key generation, access control, and partial decryption), while reducing consumption overhead on the user side. Specifically, to protect privacy during key generation, a lightweight two-party secure computing protocol between the user and the authority is designed to generate secret keys; to protect privacy during the access control policy setting, we present an efficient policy hidden strategy, which only reveals attribute names and efficiently hides attribute values; to protect privacy during partial decryption, we propose a hybrid authentication method that does not need to submit attribute values to the cloud. Moreover, to achieve lightweight computation for IoT devices, online/offline encryption and outsourced decryption are employed in ABE-FPP. Finally, formal security proofs show that our scheme is secure in the standard model. The asymptotic complexity analyses and experimental results demonstrate that the presented scheme achieves higher computation efficiency than the state-of-the-art ones.

engineering, electrical & electronic,instruments & instrumentation,physics, applied

Jianan Hong,Kaiping Xue,Wei Li,Yingjie Xue

DOI: https://doi.org/10.1109/tsc.2017.2682090

2015-01-01

Abstract:The new paradigm of outsourcing data to the cloud is a double-edged sword. On one side, it frees up data owners from the technical management, and is easier for the data owners to share their data with intended recipients when data are stored in the cloud. On the other side, it brings about new challenges about privacy and security protection. To protect data confidentiality against the honest-but-curious cloud service provider, numerous works have been proposed to support fine-grained data access control. However, till now, no efficient schemes can provide the scenario of fine-grained access control together with the capacity of time-sensitive data publishing. In this paper, by embedding the mechanism of timed-release encryption into CP-ABE (Ciphertext-Policy Attribute-based Encryption), we propose TAFC: a new time and attribute factors combined access control on time-sensitive data stored in cloud. Extensive security and performance analysis shows that our proposed scheme is highly efficient and satisfies the security requirements for time-sensitive data storage in public cloud.

Rui Cheng,Kehe Wu,Yuling Su,Wei Li,Wenchao Cui,Jie Tong

DOI: https://doi.org/10.3390/pr9071176

IF: 3.5

2021-07-06

Processes

Abstract:The rapid development of the power Internet of Things (IoT) has greatly enhanced the level of security, quality and efficiency in energy production, energy consumption, and related fields. However, it also puts forward higher requirements for the security and privacy of data. Ciphertext-policy attribute-based encryption (CP-ABE) is considered a suitable method to solve this issue and can implement fine-grained access control. However, its internal bilinear pairing operation is too expensive, which is not suitable for power IoT with limited computing resources. Hence, in this paper, a novel CP-ABE scheme based on elliptic curve cryptography (ECC) is proposed, which replaces the bilinear pairing operation with simple scalar multiplication and outsources most of the decryption work to edge devices. In addition, time and location attributes are combined in the proposed scheme, allowing the data users to access only within the range of time and locations set by the data owners to achieve a more fine-grained access control function. Simultaneously, the scheme uses multiple authorities to manage attributes, thereby solving the performance bottleneck of having a single authority. A performance analysis demonstrates that the proposed scheme is effective and suitable for power IoT.

engineering, chemical

Jianting Ning,Zhenfu Cao,Xiaolei Dong,Kaitai Liang,Lifei Wei,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/tsc.2018.2791538

IF: 11.019

2019-01-01

IEEE Transactions on Services Computing

Abstract:Secure cloud storage, which is an emerging cloud service, is designed to protect the confidentiality of outsourced data but also to provide flexible data access for cloud users whose data is out of physical control. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is regarded as one of the most promising techniques that may be leveraged to secure the guarantee of the service. However, the use of CP-ABE may yield an inevitable security breach which is known as the misuse of access credential (i.e., decryption rights), due to the intrinsic “all-or-nothing” decryption feature of CP-ABE. In this paper, we investigate the two main cases of access credential misuse: one is on the semi-trusted authority side, and the other is on the side of cloud user. To mitigate the misuse, we propose the first accountable authority and revocable CP-ABE based cloud storage system with white-box traceability and auditing, referred to as CryptCloud±. We also present the security analysis and further demonstrate the utility of our system via experiments.