Zhenyao Qiu,Zhiwei Zhang,Shichong Tan,Jianfeng Wang,Xiaoling Tao

DOI: https://doi.org/10.3966/160792642019052003002

2019-01-01

Abstract:Cloud storage is facing the contradiction between data security and flexible data sharing, and therefore the cryptographic access control mechanisms are well studied. In particular, hierarchical access control in cloud storage is significant for many application scenarios. In these scenarios, the users are divided into several groups organized in a hierarchy, and they are assigned with different access privileges according to their groups and levels. That is, the users in higher level groups can access the data belonging to their subordinate groups while the users in lower level groups cannot access the data belonging to their superior groups. However, most of the existing hierarchical access control solutions seem to be unpractical for their inability of scalable data sharing, inefficiency of key management or lack of delegated reencryption. In this paper, we propose a new hierarchical access control scheme based on key-aggregate encryption, and the proposed scheme realizes scalable data sharing in cloud storage which allows the users to share data with any user group. In the proposed scheme, the size of each key or ciphertext is constant and irrelevant to the scale of hierarchical user structure. Especially, our scheme improves the convenience of key management by cutting off the key derivation widely used in the existing hierarchical key assignment methods. Furthermore, the proposed scheme reduces the users' updating overhead by introducing the delegated re-encryption into the hierarchical scenarios. Finally, the security analysis and the performance evaluation indicate that our scheme is feasible for the hierarchical data sharing applications in cloud storage.

Qin Liu,Guojun Wang,Jie Wu

DOI: https://doi.org/10.1109/CIT.2010.171

2010-01-01

Abstract:Suppose Bob, the boss in Company A, pays a secure cloud storage service and authorizes all the employees in that company to share such a service. There exists a user hierarchy: Bob is the user at the upper level and all the employees in the company are the users at the lower level. In this paper, we design and construct a scheme, which enables the user at the upper level to efficiently share the secure cloud storage services with all the users at the lower level. A sender can specify several users at the lower level as the recipients for a file by taking the number and public keys of the recipients as inputs of a hierarchical identity-based encryption algorithm, which enables only the user at the upper level, as well as the intended recipients, to decrypt the file using their own private keys. Using our scheme, the sender needs to encrypt a file only once, and store only one copy of the corresponding ciphertext in a ``cloud'' communicating with none of the recipients while encrypting a file to multiple recipients. To our best knowledge, this paper is the first to realize the efficient sharing of the secure storage services in cloud computing.

Zhusong Liu,Hongyang Yan,Zhiqiang Lin,Lingling Xu

DOI: https://doi.org/10.3217/jucs-021-03-0454

2015-01-01

Abstract:Cloud computing is an emerging computing paradigm that can provide storage resources and computing capacities services over the Internet. However, some new security issues arise when users' sensitive data are outsourced and shared in untrusted cloud. The traditional techniques to protect the confidentiality of sensitive data stored in cloud are encryption and related cryptographic tools. And the corresponding private keys to access and decrypt the files are disclosed to only authorized users. However, these traditional solutions are not scalable because the computational cost of encryption and other access control is heavy for devices with limited computation ability.In this paper, we present a new way to implement scalable and fine-grained access control systems, which can be applied for big data in untrusted cloud computing environment. The solution is based on symmetric, efficient broadcast encryption and fine-grained attribute-based encryption (ABE). In this access control system, users are able to join and revoked with broadcast encryption. An outsourced Hierarchical ABE scheme is first proposed in this paper to construct the access control system. The security analysis is also presented under the security model.

Guojun Wang,Qin Liu,Jie Wu

DOI: https://doi.org/10.1145/1866307.1866414

2010-01-01

Abstract:Cloud computing, as an emerging computing paradigm, enables users to remotely store their data into a cloud so as to enjoy scalable services on-demand. Especially for small and medium-sized enterprises with limited budgets, they can achieve cost savings and productivity enhancements by using cloud-based services to manage projects, to make collaborations, and the like. However, allowing cloud service providers (CSPs), which are not in the same trusted domains as enterprise users, to take care of confidential data, may raise potential security and privacy issues. To keep the sensitive user data confidential against untrusted CSPs, a natural way is to apply cryptographic approaches, by disclosing decryption keys only to authorized users. However, when enterprise users outsource confidential data for sharing on cloud servers, the adopted encryption system should not only support fine-grained access control, but also provide high performance, full delegation, and scalability, so as to best serve the needs of accessing data anytime and anywhere, delegating within enterprises, and achieving a dynamic set of users. In this paper, we propose a scheme to help enterprises to efficiently share confidential data on cloud servers. We achieve this goal by first combining the hierarchical identity-based encryption (HIBE) system and the ciphertext-policy attribute-based encryption (CP-ABE) system, and then making a performance-expressivity tradeoff, finally applying proxy re-encryption and lazy re-encryption to our scheme.

Dongyang Xu,Fengying Luo,Lin Gao,Zhi Tang

DOI: https://doi.org/10.1109/intech.2013.6653703

2013-01-01

Abstract:With the rapid development of cloud computing, more and more users begin to share documents in cloud servers. Since cloud servers are not within the trusted domain of users, encryption and access control are needed to protect the digital content. Attribute-based encryption is a favorable scheme that has been used for content protection in cloud computing. It can provide “one-to-many” encryption service so that one encrypted file can be decrypted by multiple prospective recipients whose attributes conform to the access policy. Currently, all existing attribute-based encryption schemes assume that the digital content and authorized users are equally privileged; however, there are emerging application scenarios that demand digital content and users with different privileges. In this paper, we present a new attribute-based encryption scheme that can generate security keys of different class for users by integrating ciphertext-policy attribute-based encryption and hierarchical cryptographic key management. Thus, we achieve the fine-grained document sharing which means that users can preview the same document with different privileges. We use hierarchical keys derived from a chain of one-way functions. Extensive analysis shows that our proposed scheme is simple, efficient and secure. The proposed scheme can provide “one-fits-many” encryption service.

Yuzhao Wu,Yongqiang Lyu,Qian Fang,Hao Yin,Geng Zheng,Yuanchun Shi

DOI: https://doi.org/10.1109/icdcsw.2017.19

2017-01-01

Abstract:Data outsourcing in cloud is emerging as a successful paradigm that benefits organizations and enterprises with high-performance, low-cost, scalable data storage and sharing services. However, this paradigm also brings forth new challenges for data confidentiality because the outsourced are not under the physic control of the data owners. The existing schemes to achieve the security and usability goal usually apply encryption to the data before outsourcing them to the storage service providers (SSP), and disclose the decryption keys only to authorized user. They cannot ensure the security of data while operating data in cloud where the third-party servicers are usually semi-trustworthy, and need lots of time to deal with the data. We construct a privacy data management system appending hierarchical access control called HAC-DMS, which can not only assure security but also save plenty of time when updating data in cloud.

Jianghong Wei,Xinyi Huang,Wenfen Liu,Xuexian Hu

DOI: https://doi.org/10.1142/s0129054117500289

2017-01-01

International Journal of Foundations of Computer Science

Abstract:Cloud storage greatly facilitates both individuals and organizations to share data over the Internet. However, there are several security issues that impede to outsource their data. Among various approaches introduced to overcome these issues, attribute-based encryption (ABE) provides secure and flexible access control on shared data, and thus is rather promising. But the original ABE is not adaptable to some special circumstances, where attributes are organized in a hierarchical structure, such as enterprises and official institutions. On the other hand, although the wide use of mobile devices enables users to conveniently access shared data anywhere and anytime, this also increases the risk of key exposure, which will result into unwanted exposure of the shared data. In this paper, we extend the functionality of the original ABE and enhance its security by providing key generation delegation and forward security. Consequently, the enhanced ABE meets applications of large organizations with hierarchies and minimizes the damage in the case of unexpected key exposures. Specifically speaking, we present a forward-secure ciphertext-policy hierarchical attribute-based encryption scheme in prime order bilinear groups, as a core building of attribute-based data sharing scheme. The security of the proposed scheme is proven in the standard model. We conduct experiments to demonstrate its efficiency and practicability.

Qinlong Huang,Yixian Yang,Mansuo Shen

DOI: https://doi.org/10.1016/j.future.2016.09.021

IF: 7.307

2017-01-01

Future Generation Computer Systems

Abstract:With the increasing trend of outsourcing data to the cloud for efficient data storage, secure data collaboration service including data read and write in cloud computing is urgently required. However, it introduces many new challenges toward data security. The key issue is how to afford secure write operation on ciphertext collaboratively, and the other issues include difficulty in key management and heavy computation overhead on user since cooperative users may read and write data using any device. In this paper, we propose a secure and efficient data collaboration scheme, in which fine-grained access control of ciphertext and secure data writing operation can be afforded based on attribute-based encryption (ABE) and attribute-based signature (ABS) respectively. In order to relieve the attribute authority from heavy key management burden, our scheme employs a full delegation mechanism based on hierarchical attribute-based encryption (HABE). Further, we also propose a partial decryption and signing construction by delegating most of the computation overhead on user to cloud service provider. The security and performance analysis show that our scheme is secure and efficient.

Guojun Wang,Qin Liu,Jie Wu,Minyi Guo

DOI: https://doi.org/10.1016/j.cose.2011.05.006

IF: 5.105

2011-01-01

Computers & Security

Abstract:With rapid development of cloud computing, more and more enterprises will outsource their sensitive data for sharing in a cloud. To keep the shared data confidential against untrusted cloud service providers (CSPs), a natural way is to store only the encrypted data in a cloud. The key problems of this approach include establishing access control for the encrypted data, and revoking the access rights from users when they are no longer authorized to access the encrypted data. This paper aims to solve both problems. First, we propose a hierarchical attribute-based encryption scheme (HABE) by combining a hierarchical identity-based encryption (HIBE) system and a ciphertext-policy attribute-based encryption (CP-ABE) system, so as to provide not only fine-grained access control, but also full delegation and high performance. Then, we propose a scalable revocation scheme by applying proxy re-encryption (PRE) and lazy re-encryption (LRE) to the HABE scheme, so as to efficiently revoke access rights from users.

Hua Deng,Zheng Qin,Letian Sha,Hui Yin

DOI: https://doi.org/10.1109/jiot.2020.2999350

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:Cloud-assisted Internet of Things (IoT) has become an increasingly popular technological trend as the performance of IoT applications can be greatly improved by delegating the cloud to manage massive IoT data. To protect the confidentiality of data outsourced from IoT devices to the cloud, cryptographic mechanisms are usually employed to encrypt the data in such a way that only the user designated by the data owner can decrypt the data. However, in the IoT multiuser environment, the encrypted data may also need to be shared with more users beyond the initially designated one. In this article, we propose a flexible privacy-preserving data sharing (FPDS) scheme in cloud-assisted IoT. With the FPDS scheme, an IoT user can encrypt data to a recipient by using identity-based encryption. More importantly, the IoT user can specify a fine-grained access policy to generate a delegation credential, and then send this credential to the cloud so that it can convert all the encrypted data satisfying the access policy into new ciphertexts that are readable to a new recipient. In this way, IoT users can share the data outsourced to the cloud in a flexible and privacy-preserving manner. Detailed security analysis shows that the FPDS scheme is secure against semitrusted cloud and malicious IoT users. Thorough theoretical and experimental analyses demonstrate the high efficiency of the scheme.

Shaohua Tang,Xiaoyu Li,Xinyi Huang,Yang Xiang,Lingling Xu

DOI: https://doi.org/10.1109/tc.2015.2479609

IF: 3.183

2016-01-01

IEEE Transactions on Computers

Abstract:Access control is an indispensable security component of cloud computing, and hierarchical access control is of particular interest since in practice one is entitled to different access privileges. This paper presents a hierarchical key assignment scheme based on linear-geometry as the solution of flexible and fine-grained hierarchical access control in cloud computing. In our scheme, the encryption key of each class in the hierarchy is associated with a private vector and a public vector, and the inner product of the private vector of an ancestor class and the public vector of its descendant class can be used to derive the encryption key of that descendant class. The proposed scheme belongs to direct access schemes on hierarchical access control, namely each class at a higher level in the hierarchy can directly derive the encryption key of its descendant class without the need of iterative computation. In addition to this basic hierarchical key derivation, we also give a dynamic key management mechanism to efficiently address potential changes in the hierarchy. Our scheme only needs light computations over finite field and provides strong key indistinguishability under the assumption of pseudorandom functions. Furthermore, the simulation shows that our scheme has an optimized trade-off between computation consumption and storage space.

Ran Yang,Chuang Lin,Yixin Jiang

DOI: https://doi.org/10.1109/icc.2012.6364473

2012-01-01

Abstract:In cloud computing, the sensitive data are required to be encrypted before being outsourced to the server, which introduce a heavy computation overhead for key derivation and data management when dynamic hierarchical access control is desired. In this paper, we address this challenging problem by delegating the computation intensive task, such as data re-encryption, key distribution and derivation to cloud servers. Only bilinear pairing and random padding are used in our construction. Extensive analysis shows that the proposed scheme achieves scalability and dynamic simultaneously, and is proved to be secure formally.

Qiang Wei,Huaibin Shao,Gongxuan Zhang

DOI: https://doi.org/10.1155/2018/5634561

2018-01-01

Wireless Communications and Mobile Computing

Abstract:Due to the abundant storage resources and high reliability data service of cloud computing, more individuals and enterprises are motivated to outsource their data to public cloud platform and enable legal data users to search and download what they need in the outsourced dataset. However, in “Paid Data Sharing” model, some valuable data should be encrypted before outsourcing for protecting owner’s economic benefits, which is an obstacle for flexible application. Specifically, if the owner does not know who (user) will download which data files in advance and even does not know the attributes of user, he/she has to either remain online all the time or import a trusted third party (TTP) to distribute the file decryption key to data user. Obviously, making the owner always remain online is too inflexible, and wholly depending on the security of TTP is a potential risk. In this paper, we propose a flexible, secure, and reliable data sharing scheme based on collaboration in multicloud environment. For securely and instantly providing data sharing service even if the owner is offline and without TTP, we distribute all encrypted split data/key blocks together to multiple cloud service providers (CSPs), respectively. An elaborate cryptographic protocol we designed helps the owner verify the correctness of data exchange bills, which is directly related to the owner’s economic benefits. Besides, in order to support reliable data service, the erasure-correcting code technic is exploited for tolerating multiple failures among CSPs, and we offer a secure keyword search mechanism that makes the system more close to reality. Extensive security analyses and experiments on real-world data show that our scheme is secure and efficient.

Shan-shan Tu,Shao-zhang Niu,Hui Li,Yun Xiao-ming,Meng-jiao Li

DOI: https://doi.org/10.1109/ipdpsw.2012.265

2012-01-01

Concurrency and Computation Practice and Experience

Abstract:With the current rapid increase of cloud computing, enterprises outsource their sensitive data for sharing in a cloud. The key problems of this approach include establishing access control for the encrypted data, and revoking the access rights from users when they are no longer authorized to access the encrypted data on cloud servers. This paper aims to solve these problems. Firstly, based on the attribute encryption and the dual encryption system, we propose a concrete access control scheme constructed over the composite order bilinear groups, and we prove its security under the standard model. Then, we propose a fully fine-grained revocation scheme under the direct revocation model, so as to efficiently revoke access rights from users on cloud servers.

Peng Xu,Hongwu Chen,Deqing Zou,Hai Jin

DOI: https://doi.org/10.1007/s11434-014-0521-1

2014-01-01

Abstract:Cloud is an emerging computing paradigm.It has drawn extensive attention from both academia and industry.But its security issues have been considered as a critical obstacle in its rapid development.When data owners store their data as plaintext in cloud,they lose the security of their cloud data due to the arbitrary accessibility,specially accessed by the un-trusted cloud.In order to protect the confidentiality of data owners’cloud data,a promising idea is to encrypt data by data owners before storing them in cloud.However,the straightforward employment of the traditional encryption algorithms can not solve the problem well,since it is hard for data owners to manage their private keys,if they want to securely share their cloud data with others in a fine-grained manner.In this paper,we propose a fine-grained and heterogeneous proxy re-encryption(FHPRE)system to protect the confidentiality of data owners’cloud data.By applying the FH-PRE system in cloud,data owners’cloud data can be securely stored in cloud and shared in a fine-grained manner.Moreover,the heterogeneity support makes our FH-PRE system more efficient than the previous work.Additionally,it provides the secure data sharing between two heterogeneous cloud systems,which are equipped with different cryptographic primitives.

Jiyuan Zhou,Tian Wang,Md. Zakirul Alam Bhuiyan,Anfeng Liu

DOI: https://doi.org/10.1109/DASC-PICom-DataCom-CyberSciTec.2017.90

2017-01-01

Abstract:Since the cloud computing technology was proposed, it has developed rapidly. Cloud computing demonstrated that it was a major driver of change in the IT industry and there are a lot of cloud-based technologies deriving from cloud computing. With the Cloud computing development and global growth of data, cloud storage technology gets more attention and better development and attracts a large number of users. Users depend on the powerful storage capacity of cloud storage. However, in this storage schema, users' data is all stored in cloud servers. In other word, users lose their right of control on data and face privacy leakage risk. Traditional privacy protection schemes are usually based on encryption technology, but these kinds of methods cannot effectively resist attack from the inside of cloud server. Once the password gets compromised, users' data will be exposed to public. In order to solve this problem, we propose a hierarchic storage method based on fog computing model and design a Hash-Solomon code algorithm. We put a small part of data in local machine and fog server, which can take full advantage of cloud storage and protect the privacy of data. Through the theoretical safety analysis and experimental evaluation, the feasibility of our scheme is validated, which is really a powerful supplement to existing cloud storage scheme.

xuejiao liu,yingjie xia,yang xiang,mohammad mehedi hassan,abdulhameed alelaiwi

DOI: https://doi.org/10.1109/SocialSec2015.13

2015-01-01

Abstract:Hybrid cloud is a widely used cloud architecture in large companies that can outsource data to the publiccloud, while still supporting various clients like mobile devices. However, such public cloud data outsourcing raises serious security concerns, such as how to preserve data confidentiality and how to regulate access policies to the data stored in public cloud. To address this issue, we design a hybrid cloud architecture that supports data sharing securely and efficiently, even with resource-limited devices, where private cloud serves as a gateway between the public cloud and the data user. Under such architecture, we propose an improved construction of attribute-based encryption that has the capability of delegating encryption/decryption computation, which achieves flexible access control in the cloud and privacy-preserving in datautilization even with mobile devices. Extensive experiments show the scheme can further decrease the computational cost and space overhead at the user side, which is quite efficient for the user with limited mobile devices. In the process of delegating most of the encryption/decryption computation to private cloud, the user can not disclose any information to the private cloud. We also consider the communication securitythat once frequent attribute revocation happens, our scheme is able to resist some attacks between private cloud and data user by employing anonymous key agreement.

Xin Wang,Bo Yang,Zhe Xia,Yanqi Zhao,Huifang Yu

DOI: https://doi.org/10.1155/2018/6174830

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Cloud computing provides a new, attractive paradigm for the effective sharing of storage and computing resources among global consumers. More and more enterprises have begun to enter the field of cloud computing and storing data in the cloud to facilitate the sharing data among users. However, in many cases, users may be concerned about data privacy, trust, and integrity. It is challenging to provide data sharing services without sacrificing these security requirements. In this paper, a data sharing scheme of reliable, secure, and privacy protection based on general access structure is introduced. The proposed scheme is not only effective and flexible, but also is capable of protecting privacy for the cloud owner, supporting data sharing under supervision, enabling accountability of users' decryption keys, and identifying cheaters if some users behave dishonestly. Security analysis and efficiency analysis demonstrate that our proposed scheme has better performance in computational costs compared with most related works. The scheme is versatile to be used in various environments. For example, it is particularly suitable to be employed to protect personal health data and medical diagnostic data in information medical environment.

Xin Dong,Jiadi Yu,Yuan Luo,Yingying Chen,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/iwqos.2013.6550281

2013-01-01

Abstract:Cloud storage services enable users to remotely store their data and eliminate excessive local installation of software and hardware. One critical issue is how to enable a secure data collaboration service including data access and update in cloud computing. A data collaboration service is to support the availability and consistency of the shared data among multi-users. In this paper, we propose a secure and efficient data collaboration scheme SECO. In SECO, we employ a two-level hierarchical identity based encryption (HIBE) to guarantee data confidentiality against untrusted cloud. This paper is the first attempt to explore secure cloud data collaboration service that precludes information leakage and enables a one-to-many encryption paradigm, data writing operation and fine-grained access control simultaneously. Security analysis indicates that the SECO enforces fine-grained access control and collusion resistant. Extensive performance analysis and experiment results demonstrate that SECO is highly efficient and low overhead on computation and communication.

Guowen Xu,Shengmin Xu,Jinhua Ma,Jianting Ning,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2023.3305870

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud computing has been widely accepted as a computing paradigm to offer high-quality data services on demand. However, it suffers from various attacks as the cloud service provider and data owners are not in the same trusted domain. To support data confidentiality, existing cloud-based systems apply cryptographic tools to issue the decryption key to data users to share data in a controlled way. However, fine-grained cloud data sharing still faces many challenges, especially when dealing with dynamic user groups. In this paper, we introduce a secure and efficient cloud-based data-sharing system with fine-grained access control and dynamic user groups. Our system enjoys 1) adaptive security in prime-order groups, 2) forward secrecy against revoked user fetches data generated before being revoked, and 3) decryption key exposure resistance against the compromise of the frequently used decryption key, where the previous solutions only concentrate on one or two above-mentioned properties. More specifically, we introduce two timestamp management mechanisms that manage the timestamp in each ciphertext to support dynamic user groups with forward secrecy. By applying the proposed timestamp management mechanisms, we introduce two novel designs of attribute-based encryption schemes with formal definition and security analyses. The proposed schemes are adaptively secure in prime-order groups under a standard assumption and support decryption key exposure resistance. We conduct theoretical analysis and experimental simulation to demonstrate the outperformance of our solutions.