Guangyu Chen,Jian Liu,Ming Xian

DOI: https://doi.org/10.1088/1742-6596/1314/1/012190

2019-01-01

Journal of Physics Conference Series

Abstract:With the increase of data volume, the service of data publication and subscription is an efficient method to share massive data. It is impossible to capture and manage data with traditional database tools. Therefore, the cloud platform becomes the most suitable platform for data publication and subscription due to its huge storage, strong computing power and good economical utility. In the process of data publishing and subscription, cloud server as a third party is semi-honest, which will bring serious privacy problems. In this paper, a secure data publishing and subscription scheme based on cloud platform is proposed, which can protect the privacy of data and subscriber interest, and achieve efficient and accurate data publishing and subscription. It can realize that only data subscribers who meet the requirements of access rights can obtain and decrypt the data, and the matching of data subscriber interest and data label can be realized at the same time. In addition, this scheme also supports user cancellation, it can cancel dishonest users in the system.

Kai Zhang,Xiwen Wang,Jianting Ning,Junqing Gong,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2023.3303720

IF: 7.231

2023-09-01

IEEE Transactions on Information Forensics and Security

Abstract:Secure cloud-assisted data publish/subscribe (Pub/Sub) service provides an asynchronous method for publishers and subscribers to non-interactively exchange encrypted messages. Besides performing conjunctive subscription policy, numerous data Pub/Sub systems have recently been proposed to provide dynamic access control enforced from the publisher side to the subscriber side. However, these solutions fail to consider the following properties: (i) bilateral access control for both publishers and subscribers; (ii) the anonymity of the publisher; (iii) high matching time cost between publication and subscription. Therefore, we present P/S-BiAC, a secure and boolean cloud-assisted data Pub/Sub system with attribute-based bilateral access control that achieves authenticity and anonymity of publishers. In particular, P/S-BiAC enables cloud-based brokers to use the subscriber's trapdoor to match published data with sub-linear time complexity. Technically, we introduce a "BiAC-and-Hidden" technique to refine publication tuples and trapdoor in classic searchable symmetric encryption solutions. Moreover, we implement P/S-BiAC and evaluate its practical performance based on Enron dataset in real cloud environment. To deal with a conjunctive subscription policy, P/S-BiAC runs faster for matching time cost (with -term=10) compared to state-of-the-art solutions, which demonstrates its feasibility in practical data Pub/Sub services with strong security properties.

computer science, theory & methods,engineering, electrical & electronic

Hongyi Su,Geng Yang,and Dawei Li

2011-01-01

Abstract:Data storage is an important application of cloud computing. With a cloud computing platform, the burden of local data storage can be reduced. However, services and applications in a cloud may come from different providers, and creating an efficient protocol to protect privacy is critical. We propose a verification protocol for cloud database entries that protects against untrusted service providers. Based on identity-based encryption （IBE） for cloud storage, this protocol guards against breaches of privacy in cloud storage. It prevents service providers from easily constructing cloud storage and forging the signature of data owners by secret sharing. Simulation results confirm the availability and efficiency of the proposed protocol.

Kai Zhang,Xiaobing Shi,Jinguo Li,Yi Wu,Jianting Ning

DOI: https://doi.org/10.1016/j.sysarc.2024.103197

IF: 5.836

2024-01-01

Journal of Systems Architecture

Abstract:The Cloud-based data publish/subscribe (Pub/Sub) service presents a selective manner for publishers and subscribers to share and receive data, where confidentiality and authorized access to the data are the fundamental security properties. Therefore, the methodology of attribute-based keyword search (ABKS) was applied that recently considered bilateral access control between the publisher and subscriber. However, existing data Pub/Sub solutions fail to take into account the following features: (i) the efficient revocation of subscribers; (ii) the traceability and auditability of subscriptions; (iii) the excessive time cost of decryption procedure. Therefore, we propose TRA-PS, an accountable data Pub/Sub service that implements efficient revocation, traceability, and public auditability for subscriptions. Technically, we refine the secret key of subscriber in the classic ABKS schemes with associating its identity information and binding accountability module. In addition, we implement TRA-PS and evaluate its practical performance compared to state-of-the-art work in the real cloud environment. Besides achieving accountable property, TRA-PS significantly diminishes the decryption time cost (number of attributes/keywords is 25) by 91.8%, independent of the number of attributes/keywords.

Yanping Xiao,Chuang Lin,Yixin Jiang,Xiaowen Chu,Fangqin Liu

DOI: https://doi.org/10.1109/GLOCOM.2010.5683310

2010-01-01

Abstract:Cloud computing provides a novel computing paradigm for enterprises to store programs and data in the Cloud in a transparent manner, which poses the challenge of security and privacy. In this paper, based on homomorphic cryptography and Zero-Knowledge Proof, we present a novel privacy-preserving scheme for Cloud publish/subscribe service, which achieve efficient privacy-preserving authentication, data integrity, and publish-subscribe confidentiality. The performance evaluation and security analysis demonstrate the practice and validity of the proposed scheme.

Hua Dai,Xiangyang Zhu,Geng Yang,Xun Yi

DOI: https://doi.org/10.1109/BIGCOM.2017.56

2017-01-01

Abstract:With the development of cloud computing and its economic benefit, more and more companies and individuals outsource their data and computation to clouds. Meanwhile, the business way of resource outsourcing makes the data out of control from its owner and results in many security issues. The existing secure keyword search methods assume that cloud servers are curious-but-honest or partial honest, which makes them powerless to deal with the deliberately falsified or fabricated results of insider attacks. In this paper, we propose a verifiable single keyword top-k search scheme against insider attacks which can verify the integrity of search results. Data owners generate verification codes (VCs) for the corresponding files, which embed the ordered sequence information of the relevance scores between files and keywords. Then files and corresponding VCs are outsourced to cloud servers. When a data user performs a keyword search in cloud servers, the qualified result files are determined according to the relevance scores between the files and the interested keyword and then returned to the data user together with a VC. The integrity of the result files is verified by data users through reconstructing a new VC on the received files and comparing it with the received one. Performance evaluation have been conducted to demonstrate the efficiency and result redundancy of the proposed scheme.

Yinbin Miao,Jianfeng Ma,Ximeng Liu,Zhiquan Liu,Limin Shen,Fushan Wei

DOI: https://doi.org/10.1007/s12083-016-0487-7

2016-08-15

Abstract:The advantages of cloud computing encourage individuals and enterprises to outsource their local data storage and computation to cloud server, however, data security and privacy concerns seriously hinder the practicability of cloud storage. Although searchable encryption (SE) technique enables cloud server to provide fundamental encrypted data retrieval services for data-owners, equipping with a result verification mechanism is still of prime importance in practice as semi-trusted cloud server may return incorrect search results. Besides, single keyword search inevitably incurs many irrelevant results which result in waste of bandwidth and computation resources. In this paper, we are among the first to tackle the problems of data-owner updating and result verification simultaneously. To this end, we devise an efficient cryptographic primitive called as verifiable multi-keyword search over encrypted cloud data for dynamic data-owner scheme to protect both data confidentiality and integrity. Rigorous security analysis proves that our scheme is secure against keyword guessing attack (KGA) in standard model. As a further contribution, the empirical experiments over real-world dataset show that our scheme is efficient and feasible in practical applications.

computer science, information systems,telecommunications

Hua Shen,Jian Zhou,Ge Wu,Mingwu Zhang

DOI: https://doi.org/10.1109/access.2023.3334733

IF: 3.9

2023-12-20

IEEE Access

Abstract:The convenience and efficient management of cloud servers have resulted in an increasing number of users opting to store their data in the cloud. Consequently, data-outsourcing services relying on cloud servers have been extensively deployed and utilized. In this case, before outsourcing the data to cloud storage, we should ensure unauthorized users cannot access the data. In this article, we present a scheme termed MKSABE-VaAR (multi-keyword searchable attribute-based encryption with verification and attribute revocation). Aiming at the problems of inefficiency, excessive computation in the search process, and only supporting single-keyword search in most attribute-based searchable encryption schemes, first, we package multiple keywords into a polynomial to realize multi-keyword search. Based on this polynomial, MKSABE-VaAR can reduce the amount of search calculation for keyword ciphertext and improve search efficiency by reducing the number of bilinear pairing operations. At the same time, we have made some special constructs for indexing to add verification of user attributes in the keyword search process, which improves the search accuracy. Moreover, we adopt a linear secret-sharing technique to construct the attribute revocation function of MKSABE-VaAR, making a lower computational cost of attribute revocation. Furthermore, the mechanism of storing data and indexes separately greatly reduces the risk of data leakage of MKSABE-VaAR.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yinbin Miao,Jianfeng Ma,Qi Jiang,Xiong Li,Arun Kumar Sangaian

DOI: https://doi.org/10.1016/j.compeleceng.2017.06.021

IF: 4.152

2018-01-01

Computers & Electrical Engineering

Abstract:In smart city, which integrates the Information and Communication Technologies (ICT) including cloud computing and Internet of things, all kinds of data collected by smart devices help to make everything intelligent. Through outsourcing encrypted data to cloud server, data owners can reduce the high storage and computational burden on resources constrained smart devices. To further avoid the semi-honest-but-curious cloud server returning a fraction of false search results, this paper proposes a verifiable attribute-based keyword search scheme, thereby allowing users to check the correctness of the search results and achieving the fine-grained access control. Besides, our scheme considers the access privileges of the same data according to attribute-based priority tree. The formal security analysis proves that our scheme is secure against the chosen-keyword attacks in the generic bilinear group model, and the experimental simulations using a real-world dataset demonstrate its efficiency and feasibility in practice. (C) 2017 Elsevier Ltd. All rights reserved.

Zhirong Shen,Jiwu Shu,Wei Xue

DOI: https://doi.org/10.1109/jsen.2016.2634018

IF: 4.3

2016-01-01

IEEE Sensors Journal

Abstract:Cloud computing has become an increasingly popular service for data storage and processing. To keep users' data on the cloud from leaking to unauthorized users, probably including the cloud service providers, the data must be stored in an encrypted form. In the meantime, for data intended for sharing, an efficient access control must be provided. A common operation on the data is keyword search. Currently, search operation over encrypted search is performed at the cloud servers and access control for the in-cloud data is usually enforced by users. Separation of the two types of operations can lead to reduced efficiency and compromised privacy for users with a given set of access privileges to search over encrypted cloud data. In this paper, we study the problem of keyword search with access control over encrypted data in cloud computing. We first propose a scalable framework where user can use his attribute values and a search query to locally derive a search capability, and a file can be retrieved only when its keywords match the query and the user's attribute values can pass the policy check. Using this framework, we propose a novel scheme called KSAC. KSAC utilizes a recent cryptographic primitive called HPE to enforce fine-grained access control, perform multi-field query search, and support the derivation of the search capability. Intensive evaluations on real-world dataset are conducted to validate the applicability of the proposed scheme.

Xin Liu,Hao Wang,Bo Zhang,Bin Zhang

DOI: https://doi.org/10.1016/j.ins.2021.10.038

IF: 8.1

2022-01-01

Information Sciences

Abstract:In a data access control system oriented toward the cloud storage environment, a data owner defines attribute-based access control policies for data files to realize fine-grained data sharing. However, the existing schemes have defects in user execution efficiency and user privacy protection, and they do not consider the problems of user revocation and attribute updates. To this end, we propose a ciphertext policy attribute-based encryption method with verifiable outsourced decryption; this requires a user to complete decryption with the help of a server, but the results of the outsourced decryption can be verified independently. With this new encryption scheme and the technique of k-times anonymous authentication, a new fine-grained data access control system was constructed; this system allows a server to provide users with outsourced decryption services, and users’ computation cost is independent of the size of the underlying access control policy. Moreover, the number of outsourced decryption requests is limited. In addition, the new system supports user revocation and attribute updates and it is provably secure under formal proofs. An efficiency analysis shows that it can be compared with other similar systems in terms of performance, despite the addition of several practical properties.

computer science, information systems

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Xu Yang,Qiuhao Wang,Saiyu Qi,Ke Li,Jianfeng Wang,Wenjia Zhao,Yong Qi

DOI: https://doi.org/10.1109/tnse.2024.3445343

IF: 6.6

2024-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Data outsourcing is a key service of cloud computing. While data encryption ensures confidentiality, it limits the ability to search encrypted data. Recently, ciphertext-policy attribute-based keyword search(CP-ABKS)schemes, which combine symmetric searchable encryption (SSE) and ciphertext policy attribute-based encryption (CP-ABE), have gained attention. However, most CP-ABKS schemes depend on an independent key management server (KMS) for key distribution, risking key leakage if the KMS is compromised. Additionally, these schemes lack secure update operations and efficient search result verification. To address these issues, we propose VKSA, a verifiable encrypted keyword search scheme with authorization for cloud-based multi-client environments. VKSA features a novel policy-hidden index for proxy-free authorized searches, a state-based secure update strategy for forward and backward security, and a delegated search result verification mechanism to ensure efficient and privacy-preserving verification. We further optimize VKSA for improved computational and enclave-storage efficiency. Security analysis and experiments confirm the security and efficiency of our schemes.

Jie Zhao,Hejiao Huang,Yongliang Xu,Xiaojun Zhang,Hongwei Du,Chao Huang

DOI: https://doi.org/10.1016/j.tcs.2024.114895

IF: 1.002

2024-10-05

Theoretical Computer Science

Abstract:Cloud-assisted e-healthcare sharing systems (EHSSs) play an increasingly pivotal role in the contemporary healthcare field. By outsourcing electronic medical records (EMRs) to the cloud, hospitals can alleviate local storage and management burdens while facilitating data sharing. Due to the highly sensitive nature of EMRs, encryption is necessary before storing them on the cloud. Attribute-based keyword search (ABKS) enables the privacy protection of EMRs with efficient search services. However, there remain some limitations in practical application. Firstly, most ABKS schemes only support single keyword queries, resulting in inaccurate results and wastage of computing and bandwidth resources. Secondly, since sensitive information within EMRs is encrypted as a whole, different data users (including internal doctors and external researchers) should have varying access rights to prevent leakage of this sensitive information. Thirdly, incorrect search results could lead to misdiagnosis or endanger patients' lives and affect researchers' decision-making processes. To effectively tackle these challenges, this paper proposes a verifiable attribute-based multi-keyword search scheme with sensitive information hiding (VABMKS-SIH) for cloud-assisted EHSSs, where we present a secure model for multi-keyword search with two-level access structure by incorporating an improved blindness filtering technique into ciphertext-policy attribute-based encryption (CP-ABE) within existing keyword search framework. Our scheme employs a super-increasing sequence to aggregate multiple filtered data blocks into one unified ciphertext, thereby greatly reducing communication overhead during the transmission phases of ciphertext. To check the correctness of returned results, we introduce a lightweight algebraic signature algorithm based on fundamental algebraic operations. A security analysis demonstrates that VABMKS-SIH is provably secure under the random oracle mode. Additionally, we also evaluate the proposed scheme's performance to demonstrate its utility in cloud-assisted EHSSs.

computer science, theory & methods

Ying Miao,Yapeng Miao,Xuexue Miao

DOI: https://doi.org/10.1007/s10619-024-07446-4

IF: 0.974

2024-11-09

Distributed and Parallel Databases

Abstract:To improve the data security and integrity of the outsourced data, storing multiple copies of data on multiple cloud servers is a good way. Many public Provable Data Possession (PDP) schemes in multiple cloud servers have been proposed in recent years. However, in some scenarios, the Data Owner (DO) may not want anyone (e.g. a stranger) to check the integrity of their data. Nevertheless, few schemes consider the fault's location function when the data auditing fails. Another problem is that anyone can make a challenge for the Cloud Server (CS) in the PDP schemes. Some access control strategies are necessary to reduce the waste of computation power resources of the CS. To solve these problems, we propose a certificateless and designed-verifier auditing scheme in multi-cloud storage environments. In our scheme, we utilize certificateless signature combined with a delegation key to achieve designed-verifier auditing. We design a secret Merkle Hash Tree (MHT) to locate the faults of CSs and data blocks. We utilize Zero-Knowledge Proof (ZKP) to achieve access control. Theoretical and experimental evaluation show that the proposed scheme is efficient and practical.

computer science, information systems, theory & methods

Shuran Wang,Dahan Pan,Runhan Feng,Yuanyuan Zhang

DOI: https://doi.org/10.1109/trustcom53373.2021.00037

2021-01-01

Abstract:The publish/subscribe(pub/sub) is an asynchronous messaging service or content distribution framework. For the idempotency it provides, pub/sub diagram is an efficient solution for large-scale content distributing systems, thus it is widely used in stock exchange systems or e-Health content sharing systems. Some wide-area applications require cross-domain pub/sub service, making it a natural choice to deploy on the public cloud. However, it would bring about security and privacy issues. Recent research proposes security enhancements to prevent thefts, such as searchable data encryption and attribute-based encryption, which allow the matching process to perform encrypted matching without learning the content of the publications and subscriptions. Besides the considerable performance loss, they could not resist the collusion attacks. If the malicious brokers collude with a malicious publisher or subscriber in a cross-domain environment, they can still infer the subscriptions of benign subscribers. We propose the MagikCube framework that provides confidentiality and integrity of the contents and also protects the privacy of the publishers and subscribers in cross-domain scenarios. Moreover, MagikCube can also resist the collusion attacks from malicious brokers in a cross-domain environment. It achieves these security goals by dynamically selecting and placing the sensitive data and some necessary components in enclaves protected by trusted hardware such as Intel SGX. Our experiment result shows that, compared with the baseline model, MagikCube does not introduce much overhead loss when providing better security for all the participants in the pub/sub system.

Jingwei Li,Jin Li,Xiaofeng Chen,Zheli Liu,Chunfu Jia

DOI: https://doi.org/10.1016/j.future.2013.06.011

IF: 7.307

2014-01-01

Future Generation Computer Systems

Abstract:As cloud computing becomes prevalent, more and more sensitive data is being centralized into the cloud, which raises a new challenge on how to utilize the outsourced data in a privacy-preserving manner. Although searchable encryption allows for privacy-preserving keyword search over encrypted data, it could not work effectively for restricting unauthorized access to the outsourced private data. In this paper, aiming at tackling the challenge of privacy-preserving utilization of data in cloud computing, we propose a practical hybrid architecture in which a private cloud is introduced as an access interface between the data owner/user and the public cloud. Under this architecture, a data utilization system is provided to achieve both exact keyword search and fine-grained access control over encrypted data. Security and efficiency analysis for the proposed system are presented in detail. Then, further enhancements for this system are considered in two steps. (1) We show how to extend our system to support efficient fuzzy keyword search while overcoming the disadvantage of insignificant decryption in the existing privacy-preserving fuzzy keyword search scheme. (2) We demonstrate approaches to realize an outsourcing cryptographic access control mechanism and further reduce the computational cost at the data user side.

Yongjun Ren,Jian Shen,Jin Wang,Jin Han,Sungyoung Lee

DOI: https://doi.org/10.6138/jit.2015.16.2.20140918

2015-01-01

Abstract:Cloud storage is now a hot research topic in information technology. In cloud storage, date security properties such as data confidentiality, integrity and availability become more and more important in many commercial applications. Recently, many provable data possession (PDP) schemes are proposed to protect data integrity. In some cases, it has to delegate the remote data possession checking task to some proxy. However, these PDP schemes are not secure since the proxy stores some state information in cloud storage servers. Hence, in this paper, we propose an efficient mutual verifiable provable data possession scheme, which utilizes Diffie-Hellman shared key to construct the homomorphic authenticator. In particular, the verifier in our scheme is stateless and independent of the cloud storage service. It is worth noting that the presented scheme is very efficient compared with the previous PDP schemes, since the bilinear operation is not required.

Bobo Huang,Rui Zhang,Zhihui Lu,Yiming Zhang,Jie Wu,Lu Zhan,Patrick C.K. Hung

DOI: https://doi.org/10.1016/j.jpdc.2020.05.005

IF: 4.542

2020-09-01

Journal of Parallel and Distributed Computing

Abstract:<p>In recent years, with the rapid development of smart city, prevalent pub/sub (publish/subscribe) streaming systems have been increasingly employed as upstream middleware layer in multi-tenant edge clouds, and feed large volume of data gathered from IoT devices of different tenants into downstream systems (e.g., data analytics and warehouse). A shared tenancy model where multiple untrusted applications or tenants utilize the same pub/sub system is generally exploited in edge cloud, which poses crucial challenges including privacy-sensitive data/metadata access threat and critical metadata modification by unauthorized tenants. A centralized monitoring node is invariably adopted in existing security strategies (such as ACL, TLS), which causes the pub/sub streaming model vulnerable to external malicious attacks and single point failure.</p><p>In this paper, inspired by outstanding features of blockchain including tamper-resistance, decentralization, strong consistency, and traceability, we propose BPS, a general and decentralized Blockchain-enhanced Pub/Sub communication model for multi-tenant edge cloud, to redesign pub/sub system internal security mechanisms. Specifically, by exploiting blockchain technology, BPS can detect the illegal operations and behaviors from both malicious tenants and untrusted publishers or subscribers. BPS directly leverages Merkel Hash Tree (MHT) of blockchain to verify the integrity of critical and confidential metadata. Regarding authorization, BPS introduces smart-contract-enabled fine-grained control over partition topic-classified messages by storing access control list (ACL) into an append-only blockchain ledger. Additionally, an incentive mechanism is employed in BPS to reward honest publishers and subscribers. We implement BPS prototype based on Kafka and EoS blockchain. Our security analysis and extensive experiments demonstrate that BPS outperforms the state-of-the-art pub/sub streaming system Kafka in security with minimal performance overhead.</p>

computer science, theory & methods

Kai Zhang,Zhe Jiang,Jianting Ning,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2022.3172627

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Secure cloud search service allows resource-constrained clients to effectively search over encrypted cloud storage. Towards enabling owner-enforced search authorization, the notion of attribute-based keyword search (ABKS) has been introduced and widely deployed in practice. To enhance traditional security of ABKS, two state-of-the-art solutions are presented to address keyword guessing attacks or setup inconsistency for secret key. Nevertheless, they have not simultaneously considered the following threats to a data user: (i) inconsistent secret key/cipher-index caused by outside dishonest authority and/or data owner; (ii) algorithm substitution attacks (ASA) launched by inside adversarial eavesdropping. These attacks may unfortunately lead to cloud data breach and user information exposure. To tackle such outside and inside threats, we introduce subversion-resistance and consistency for secure and fine-grained cloud document search services. In particular, we propose a consistent ABKS system with cryptographic reverse firewalls (CRF). Technically, we refer to verifiable functional encryption and employ non-interactive zero-knowledge proofs of discrete logarithm equality to ensure strong input consistency for ABKS. In addition, we build a trusted CRF zone for sanitizing algorithm outputs against ASA attacks. Moreover, we formalize the security model and formally prove security of our system. To clarify practical performance, we implement state-of-the-art solutions and our system in real cloud environment based on Enron dataset. The results show that our system achieves more enhanced security properties without obviously sacrificing performance. In particular, our system achieves comparable time and storage cost for document-index encryption and document search, as compared to state-of-the-art solutions.