J. Li,X. Chen,H. Tian,C. Gao

DOI: https://doi.org/10.1504/ijahuc.2014.065156

2014-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:Since the notion of attribute-based encryption (ABE) was proposed, it has been found a lot of important applications such as fine-grained access control. However, the issue of key exposure problem in ABE has been solved completely. This problem is formally addressed and formulated in this paper. More specifically, we propose a new key-insulated ABE (KI-ABE) scheme as a solution to the key exposure problem. The definition and security model of KI-ABE is proposed. Then, a KI-ABE scheme is presented, which is provably secure under the proposed model. The scheme is secure in the remaining time periods against an adversary who compromises the insecure device and obtains secret keys for the periods of its choice. Finally, we show that the scheme also supports user delegation, which is critical when one wants to delegate part of attributes (privileges) to others.

Kexian Liu,Jianfeng Guan,Xiaolong Hu,Jing Zhang,Jianli Liu,Hongke Zhang

2024-11-14

Abstract:To meet the diverse needs of users, the rapid advancement of cloud-edge-device collaboration has become a standard practice. However, this complex environment, particularly in untrusted (non-collaborative) scenarios, presents numerous security challenges. Authentication acts as the first line of defense and is fundamental to addressing these issues. Although many authentication and key agreement schemes exist, they often face limitations, such as being tailored to overly specific scenarios where devices authenticate solely with either the edge or the cloud, or being unsuitable for resource-constrained devices. To address these challenges, we propose an adaptive and efficient authentication and key agreement scheme (AEAKA) for Cloud-Edge-Device IoT environments. This scheme is highly adaptive and scalable, capable of automatically and dynamically initiating different authentication methods based on device requirements. Additionally, it employs an edge-assisted authentication approach to reduce the load on third-party trust authorities. Furthermore, we introduce a hash-based algorithm for the authentication protocol, ensuring a lightweight method suitable for a wide range of resource-constrained devices while maintaining security. AEAKA ensures that entities use associated authentication credentials, enhancing the privacy of the authentication process. Security proofs and performance analyses demonstrate that AEAKA outperforms other methods in terms of security and authentication efficiency.

Cryptography and Security

Xuanmei Qin,Yongfeng Huang,Zhen Yang,Xing Li

DOI: https://doi.org/10.1016/j.ins.2020.12.035

IF: 8.1

2021-01-01

Information Sciences

Abstract:Attribute-based encryption (ABE) is considered to be one of the most suitable schemes for cryptographic access control in the big data environment. But it still faces many challenges to be applied in the Internet of Things (IoT). ABE is implemented based on bilinear pairing, which is considered to be an expensive operation. However, there are lots of IoT devices with constrained resources. Proxy re-encryption methods based on the cloud are proposed to reduce computing overhead on the user side, but an untrusted cloud may give incorrect computing results to mislead users. To solve this problem, an access control scheme with lightweight decryption based on ABE and blockchain technologies is proposed. We assume that the cloud is untrusted, and guarantee the accuracy of proxy re-encryption calculation based on blockchain. In addition, how to encourage users to obtain authorization through blockchain and record access behavior on the blockchain is a problem worthy of attention. This paper proposes a user credibility incentive mechanism, which calculates the user's credibility according to the user's access behavior and gives a reputation score, so as to dynamically adjust the endorsement protocol. Security analysis and experimental results show that the proposed method is reliable and efficient. (C) 2020 Elsevier Inc. All rights reserved.

Shuwei Xie,Leyou Zhang,Qing Wu,Fatemeh Rezaeibagha

DOI: https://doi.org/10.1016/j.sysarc.2024.103179

IF: 5.836

2024-05-19

Journal of Systems Architecture

Abstract:The emergence of the Internet of Medical Things (IoMT) has presented numerous opportunities for the healthcare industry. It is anticipated to enhance the quality and efficiency of medical services, thus enhancing people's overall quality of life. However, frequently occurring medical data leakage makes the protection of medical data and privacy in IoMT become a critical issue. Among the solutions, attribute-based encryption (ABE) has been a very promising solution due to its flexible and fine-grained access control to encrypted data. However, the majority of current ABE schemes are based on bilinear pairing and are vulnerable to quantum attacks. The available of multi-authority ABE schemes over lattice only support a single policy such as threshold or AND gate, and lack the ability to implement user or attribute revocation in a flexible manner. For the special algebra structure of the lattice based scheme, how to overcome them is still a challenge at present. Aiming at the above, we propose a novel multi-authority key-policy attribute based encryption (RM-KP-ABE) based on the Ring Learning With Errors (RLWE) assumption. It supports multi-valued attributes and {0,1} -LSSS access policy. This scheme allows multiple authorities to participate in key distribution and enables attribute revocation when dynamic users change their situation. {0,1} -LSSS access policy makes the proposal get highly expressive which supports any monotonic boolean formula. Security analysis and performance evaluations demonstrate that our scheme is secure and efficient.

computer science, software engineering, hardware & architecture

Rui Cheng,Kehe Wu,Yuling Su,Wei Li,Wenchao Cui,Jie Tong

DOI: https://doi.org/10.3390/pr9071176

IF: 3.5

2021-07-06

Processes

Abstract:The rapid development of the power Internet of Things (IoT) has greatly enhanced the level of security, quality and efficiency in energy production, energy consumption, and related fields. However, it also puts forward higher requirements for the security and privacy of data. Ciphertext-policy attribute-based encryption (CP-ABE) is considered a suitable method to solve this issue and can implement fine-grained access control. However, its internal bilinear pairing operation is too expensive, which is not suitable for power IoT with limited computing resources. Hence, in this paper, a novel CP-ABE scheme based on elliptic curve cryptography (ECC) is proposed, which replaces the bilinear pairing operation with simple scalar multiplication and outsources most of the decryption work to edge devices. In addition, time and location attributes are combined in the proposed scheme, allowing the data users to access only within the range of time and locations set by the data owners to achieve a more fine-grained access control function. Simultaneously, the scheme uses multiple authorities to manage attributes, thereby solving the performance bottleneck of having a single authority. A performance analysis demonstrates that the proposed scheme is effective and suitable for power IoT.

engineering, chemical

Shucheng Yu,Kui Ren,Wenjing Lou,Jin Li

DOI: https://doi.org/10.1007/978-3-642-05284-2_18

2009-01-01

Abstract:Key-Policy Attribute-Based Encryption (KP-ABE) is a promising cryptographic primitive which enables fine-grained access control over sensitive data. However, key abuse attacks in KP-ABE may impede its wide application especially in copyright-sensitive systems. To defend against this kind of attacks, this paper proposes a novel KP-ABE scheme which is able to disclose any illegal key distributor's ID when key abuse is detected. In our scheme, each bit of user ID is defined as an attribute and the user secret key is associated with his unique ID. The tracing algorithm fulfills its task by tricking the pirate device into decrypting the ciphertext associated with the corresponding bits of his ID. Our proposed scheme has the salient property of black box tracing, i.e., it traces back to the illegal key distributor's ID only by observing the pirate device's outputs on certain inputs. In addition, it does not require the pirate device's secret keys to be well-formed as compared to some previous work. Our proposed scheme is provably secure under the Decisional Bilinear Diffie-Hellman (DBDH) assumption and the Decisional Linear (DL) assumption.

Jialu Hao,Cheng Huang,Jian Liu,Ming Xian,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/glocom.2018.8647659

2018-01-01

Abstract:Data owners have benefited significantly from cloud computing for managing the numerous data produced by massive devices in various Internet of Things (IoT) applications, such as smart home and electronic healthcare. On the other hand, fine-grained access control on outsourced data is a big concern for data owners, after they lose physical control over their data. Key-policy attribute-based encryption (KP-ABE), which provides data confidentiality and fine-grained data access control simultaneously, can be naturally introduced in this cloud-based IoT paradigm. However, the primitive KP-ABE cannot achieve efficient data access control with flexible user revocation. In this paper, we propose an efficient and fine-grained data access control scheme based on the proxy re-encryption and key blinding techniques for cloud-based IoT. With the scheme, the decryption capability of misbehaving users can be efficiently revoked to prevent data disclosure. In addition, most of the costly update operations over ciphertexts and keys due to user revocation, are delegated to the cloud. Extensive experiment results demonstrate that our scheme is more efficient than existing solutions in terms of computation and communication overheads.

JoonYoung Lee,MyeongHyun Kim,KiSung Park,SungKee Noh,Abhishek Bisht,Ashok Kumar Das,Youngho Park

DOI: https://doi.org/10.3390/s23115173

2023-05-29

Abstract:Recently, with the increasing application of the Internet of Things (IoT), various IoT environments such as smart factories, smart homes, and smart grids are being generated. In the IoT environment, a lot of data are generated in real time, and the generated IoT data can be used as source data for various services such as artificial intelligence, remote medical care, and finance, and can also be used for purposes such as electricity bill generation. Therefore, data access control is required to grant access rights to various data users in the IoT environment who need such IoT data. In addition, IoT data contain sensitive information such as personal information, so privacy protection is also essential. Ciphertext-policy attribute-based encryption (CP-ABE) technology has been utilized to address these requirements. Furthermore, system structures applying blockchains with CP-ABE are being studied to prevent bottlenecks and single failures of cloud servers, as well as to support data auditing. However, these systems do not stipulate authentication and key agreement to ensure the security of the data transmission process and data outsourcing. Accordingly, we propose a data access control and key agreement scheme using CP-ABE to ensure data security in a blockchain-based system. In addition, we propose a system that can provide data nonrepudiation, data accountability, and data verification functions by utilizing blockchains. Both formal and informal security verifications are performed to demonstrate the security of the proposed system. We also compare the security, functional aspects, and computational and communication costs of previous systems. Furthermore, we perform cryptographic calculations to analyze the system in practical terms. As a result, our proposed protocol is safer against attacks such as guessing attacks and tracing attacks than other protocols, and can provide mutual authentication and key agreement functions. In addition, the proposed protocol is more efficient than other protocols, so it can be applied to practical IoT environments.

Ke Zhang,Jiahuan Long,Xiaofen Wang,Hong-Ning Dai,Kaitai Liang,Muhammad Imran

DOI: https://doi.org/10.1109/tii.2020.3014168

IF: 12.3

2021-06-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial Internet of Things (IoT) has suffered from insufficient identity authentication and dynamic network topology, thereby resulting in vulnerabilities to data confidentiality. Recently, the attribute-based encryption (ABE) schemes have been regarded as a solution to ensure data transmission security and the fine-grained sharing of encrypted IoT data. However, most of existing ABE schemes that bring tremendous computational cost are not suitable for resource-constrained IoT devices. Therefore, lightweight and efficient data sharing and searching schemes suitable for IoT applications are of great importance. To this end, In this article, we propose a light searchable ABE scheme (namely LSABE). Our scheme can significantly reduce the computing cost of IoT devices with the provision of multiple-keyword searching for data users. Meanwhile, we extend the LSABE scheme to multiauthority scenarios so as to effectively generate and manage the public/secret keys in the distributed IoT environment. Finally, the experimental results demonstrate that our schemes can significantly maintain computational efficiency and save the computational cost at IoT devices, compared to other existing schemes.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Hu Xiong,Xin Huang,Minghao Yang,Lili Wang,Shui Yu

DOI: https://doi.org/10.1109/jiot.2021.3094323

IF: 10.6

2022-02-15

IEEE Internet of Things Journal

Abstract:Existing attribute-based encryption (ABE) schemes with revocation to secure the cloud-assisted Internet of Things (IoTs) raise challenges, such as eliminating the need for predefined public parameters in system initialization, performing the encryption and decryption operations efficiently, and achieving adaptive security under standard security assumption. In this article, we address these challenges by proposing an unbounded and efficient revocable ABE scheme with adaptive security for cloud-assisted IoTs. Distinct from the previous approaches in this field, our scheme not only efficiently realizes access control over encrypted data in a fine-grained and revocable way but also is proved to be adaptively secure under standard decision linear assumption. Meanwhile, the parameters do not need to be predefined in the system initialization and thus, our scheme satisfies the unbounded property. Moreover, the monotonic span program (MSP) is elegantly utilized as the access structure to reduce the number of bilinear pairing and exponentiation operations for encryption and decryption. Theoretical performance analysis and experiment evaluation disclose that our proposed scheme owns outstanding feasibility, efficiency, and effectiveness.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xing Zhang,Cancan Jin,Cong Li,Zilong Wen,Qingni Shen,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1007/978-3-319-28865-9_27

2015-01-01

Abstract:To ensure the security of sensitive data, people need to encrypt them before uploading them to the public storage. Attribute-based encryption (ABE) is a promising cryptographic primitive for fine-grained sharing of encrypted data. However, ABE lacks user and authority accountability. The user can share his/her secret key without being identified, while key generation center (KGC) can generate any user’s secret key. In this paper, we propose a practical large universe ciphertext-policy ABE (CP-ABE) with user and authority accountability in the white-box model. As embedding the user’s identity information into this user’s secret key directly, the trace stage has only O(1) time overhead. The property of accountability is proved against the dishonest user and KGC in the standard model. We implement our scheme in Charm. Experiments show that CP-ABE of Rouselakis and Waters in CCS 2013 is enhanced in user and authority accountability by our method with small computational cost.

Kranthi Kumar Singamaneni,Anil Kumar Budati,Thulasi Bikku

DOI: https://doi.org/10.1007/s11277-024-10908-8

IF: 2.017

2024-03-14

Wireless Personal Communications

Abstract:The Key Policy Attribute-based Encryption (KPABE) standard arises as the utmost appropriate security system for public key encipherment. KP-ABE has been extensively utilized to carry out admittance management resolutions. However, because of its pricey operating expense, it's hard to employ this encipherment standard over networks with limited resources like IoT and IIoT. Fortunately, the cloud must turn into a base framework to accommodate IoT functions; it is fascinating to take advantage of the resources of the cloud to carry out substantial functions related to IoT. We anticipated an effective Quantum KP-ABE framework for cloud-centric IoT apps; in this connection, our proposed approach is centered on using computational storage and power capabilities of cloud-based servers and reliable associate hosts to perform intense functions. A recital evaluation is directed to exhibit the efficacy of the planned framework. The experimental assessment showed that our model's encryption process computation time was 48% faster than existing methods. Memory occupancy efficacy evaluations showed that our approach uses 22% less cloud storage space than conventional standards even with 1 GB of user data. In comparative assessments of enciphered standards, the suggested model's 18% shorter execution time for key generation compared to conventional hash-based standards showed its feasibility for fast cryptographic procedures.

telecommunications

Jie Niu,Xuelian Li,Juntao Gao,Yue Han

DOI: https://doi.org/10.1109/jiot.2019.2956322

IF: 10.6

2020-02-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) makes our life more intelligent. Its combination with the cloud server can solve big data processing problems to meet users' needs and bring us great convenience. However, there are two challenges we need to face: data sharing and key leakage. To solve the above challenges, attribute-based encryption (ABE) is used to achieve data sharing combined with searchable encryption (SE). Most of the existing attribute-based searchable encryption (SE) schemes are inefficient and not suitable for IoT devices because of the large amount of attributes and keys. The key-leakage problem is serious in practice which very little literature focused on it. In order to address both problems, in this article, we propose a key aggregation searchable encryption (KASE) scheme based on the blockchain with auxiliary input (AI), which is capable of achieving secure data sharing on the encrypted data. Our scheme is presented through a novel chosen plaintext attack (CPA) secure scheme. We prove our scheme is chosen ciphertext attack (CCA) secure against key leakage under the decisional Diffie–Hellman assumption and Goldreich–Leivin theorem. Moreover, we adopt the proposed scheme to establish a data-sharing system based on blockchain, which improves search efficiency and connects the global ecology. In addition, extensive performance evaluations are conducted, and the results indicate our scheme is really efficient in cloud-computing-enhanced IoT.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chong Guo,Bei Gong,Muhammad Waqas,Hisham Alasmary,Shanshan Tu,Sheng Chen

DOI: https://doi.org/10.3390/s24216843

IF: 3.9

2024-10-25

Sensors

Abstract:The Internet of Things (IoT) is a heterogeneous network composed of numerous dynamically connected devices. While it brings convenience, the IoT also faces serious challenges in data security. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptography method that supports fine-grained access control, offering a solution to the IoT's security issues. However, existing CP-ABE schemes are inefficient and unsuitable for IoT devices with limited computing resources. To address this problem, this paper proposes an efficient pairing-free CP-ABE scheme for the IoT. The scheme is based on lightweight elliptic curve scalar multiplication and supports multi-authority and verifiable outsourced decryption. The proposed scheme satisfies indistinguishability against chosen-plaintext attacks (CPA) under the elliptic curve decisional Diffie–Hellman (ECDDH) problem. Performance analysis shows that our proposed scheme is more efficient and better suited to the IoT environment compared to existing schemes.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xiyu Liang,Yali Liu,Jianting Ning

DOI: https://doi.org/10.1109/JBHI.2024.3391218

Abstract:IoT and 5G-enabled smart healthcare allows medical practitioners to diagnose patients from any location via electronic health records (EHRs) by wireless body area network (WBAN) devices. Privacy, including the medical practitioner's identity and the patient's EHR, can easily be leaked from hospitals or cloud servers, and secret keys used to access EHRs must be revoked after diagnosis. In response to the challenges associated with user authentication and secret key revocation, this paper proposes an access control scheme with privacy-preserving authentication and flexible revocation for smart healthcare using attribute-based encryption (ABE), named PAFR-ABE, which provides access control to prevent malicious users from decrypting EHRs. Meanwhile, PAFR-ABE ensures privacy-preserving authentication for users during secret key generation, which safeguards users' identities and prevents unauthorized requests for secret keys. In addition, PAFR-ABE achieves flexible revocation and recovery of secret keys, which eliminates the need to update secret keys for unrevoked users. Security analysis indicates that PAFR-ABE meets the security requirements of an access control scheme for smart healthcare, especially in terms of forward security and backward security. Performance analysis shows that PAFR-ABE is efficient in the key generation and revocation algorithms compared with typical access control schemes.

Cong Li,Qingni Shen,Zhikang Xie,Jisheng Dong,Xinyu Feng,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1016/j.ins.2022.08.014

IF: 8.1

2022-01-01

Information Sciences

Abstract:Hierarchical-authority attribute-based encryption (HABE) can resolve the performance bottleneck of the key generation center in the traditional attribute-based encryption (ABE) system. HABE has numerous applications, such as cloud computing and smart grid systems. Nevertheless, almost all of the existing HABE schemes are in the ciphertext-policy setting and do not support non-monotonic access structures. In this work, we propose the first key-policy hierarchical-authority ABE with non-monotonic access structures, dubbed KP-HABE-NMaCS, which supports the authority key delegation, constant size ciphertexts and the large universe simultaneously. We further define the security model of KP-HABE-NMaCS and prove the selective security of it in the standard model. Then we optimize our scheme to realize the outsourced decryption. Subsequently, we present the detailed theoretical analysis of our constructions and the existing HABE constructions in computation and storage costs, and meanwhile implement ours and conduct a series of experiments. Both results indicate that our KP-HABE-NMaCS construction makes improvements in expressiveness and features, and achieves efficiency comparable to the previous HABE constructions. Furthermore, they also show that our extension construction is suitable for resource-limited applications. Eventually, we explore how to apply our KP-HABE-NMaCS to build an ABE with equality test and time-based authorization.

Weiqian Huo,Jisheng Pei,Ke Zhang,Xiaojun Ye

DOI: https://doi.org/10.1109/PAAP.2014.11

2014-01-01

Abstract:To allow fine-grained access control of sensitive data, researchers have proposed various types of functional encryption schemes, such as identity-based encryption, searchable encryption and attribute-based encryption. We observe that it is difficult to define some complex access policies in certain application scenarios by using these schemes individually. In this paper, we attempt to address this problem by proposing a functional encryption approach named Key-Policy Attribute-Based Encryption with Attribute Extension (KP-ABE-AE). In this approach, we utilize extended attributes to integrate various encryption schemes that support different access policies under a common top-level KP-ABE scheme, thus expanding the scope of access policies that can be defined. Theoretical analysis and experimental studies are conducted to demonstrate the applicability of the proposed KP-ABE-AE. We also present an optimization for a special application of KP-ABE-AE where IPE schemes are integrated with a KP-ABE scheme. The optimization results in an integrated scheme with better efficiency when compared to the existing encryption schemes that support the same scope of access policies.

Suhui Liu,Jiguo Yu,Yinhao Xiao,Zhiguo Wan,Shengling Wang,Biwei Yan

DOI: https://doi.org/10.1109/jiot.2020.2993231

IF: 10.6

2020-09-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) changed our lives with huge amounts of data production. Due to source-limited IoT devices, one of the best ways to process the data is cloud storage. However, a series of security and privacy issues arise, such as illegal data access, data tampering, and privacy leak. Though symmetric encryption can guarantee data confidentiality, it cannot realize fine-grained data sharing and searching. The keyword-based searchable attribute-based encryption (KSABE) can achieve data confidentiality and fine-grained access control. More importantly, it realizes a keyword-based search for data users. However, the heavy decryption computation burden and the management of massive user keys appear when implementing attribute-based encryption schemes to IoT. Therefore, this article proposes a blockchain-aided searchable attribute-based encryption (BC-SABE) with efficient revocation and decryption, where the traditional centralized server is replaced with a decentralized blockchain system being in charge of the threshold parameter generation, key management, and user revocation. All revocation tasks are done by the blockchain and it is on longer necessary for ciphertext reencryption and key update. Moreover, users utilize the coalition blockchain to generate partial tokens. Besides, the cloud server contained in our scheme not only stores the massive encrypted data but also performs search and predecryption for users who only require one exponentiation in the group ${mathbb {G}}$ to decrypt fully. Security analyses prove that our scheme realizes the security under the chosen plaintext attack and the chosen keyword attack. Simulations show that the decryption and token generation cost of our scheme are preferable.

computer science, information systems,telecommunications,engineering, electrical & electronic

Weichu Deng,Jin Li,Hongyang Yan,Arthur Sandor Voundi Koe,Teng huang,Jianfeng Wang,Cong Peng

DOI: https://doi.org/10.1016/j.jisa.2024.103885

IF: 4.96

2024-09-14

Journal of Information Security and Applications

Abstract:In the Internet of Things, access control and identity management rely on centralized platforms. However, centralized platforms will compromise user privacy with identity leakage. Self-sovereign identity (SSI) is a novel model for identity management that does not require third-party centralized authority. Thus, SSI is a potential solution to the identity management problem in IoT access control. This paper's motivation is to address the problems of lack of identity sovereignty, centralized authorization, and high computational overhead for IoT access control. We propose a novel access control scheme for IoT that decentralizes identity management and tackles single-point-of-failure issues. This scheme leverages ciphertext policy attribute-based encryption (CP-ABE) and SSI to achieve the overall goal. Specifically, Our scheme eliminates the central authority and empowers users to manage their identity, allowing users to decide what attributes they disclose. Regarding the distribution of roles in the architecture, this paper follows the generic SSI model (ISSUER–HOLDER—VERIFIER) that allows a user to access a service from a service provider. To enable real-world deployment of our scheme, we establish an attribute authorization authority(such as the government) as a trusted identity point of entry. Users generate decentralized identifiers to enjoy services of interest in a privacy-preserving manner. The analysis demonstrates the practicality and superiority of our scheme. Our scheme requires less computation and is suitable for resource-constrained IoT scenarios.

computer science, information systems