Chao Liu,Cankun Hou,Tianyu Jiang,Jianting Ning,Hui Qiao,Yusen Wu

2024-06-06

Abstract:Data-driven landscape across finance, government, and healthcare, the continuous generation of information demands robust solutions for secure storage, efficient dissemination, and fine-grained access control. Blockchain technology emerges as a significant tool, offering decentralized storage while upholding the tenets of data security and accessibility. However, on-chain and off-chain strategies are still confronted with issues such as untrusted off-chain data storage, absence of data ownership, limited access control policy for clients, and a deficiency in data privacy and auditability. To solve these challenges, we propose a permissioned blockchain-based privacy-preserving fine-grained access control on-chain and off-chain system, namely FACOS. We applied three fine-grained access control solutions and comprehensively analyzed them in different aspects, which provides an intuitive perspective for system designers and clients to choose the appropriate access control method for their systems. Compared to similar work that only stores encrypted data in centralized or non-fault-tolerant IPFS systems, we enhanced off-chain data storage security and robustness by utilizing a highly efficient and secure asynchronous Byzantine fault tolerance (BFT) protocol in the off-chain environment. As each of the clients needs to be verified and authorized before accessing the data, we involved the Trusted Execution Environment (TEE)-based solution to verify the credentials of clients. Additionally, our evaluation results demonstrated that our system offers better scalability and practicality than other state-of-the-art designs.

Cryptography and Security

Xiaoshuai Zhang,Chao Liu,Kok Keong Chai,Stefan Poslad

DOI: https://doi.org/10.3390/s20174681

2020-08-19

Abstract:Permissioned blockchains can be applied for sharing data among permitted users to authorise the data access requests in a permissioned blockchain. A consensus network constructed using pre-selected nodes should verify a data requester's credentials to determine if he or she have the correct permissions to access the queried data. However, current studies do not consider how to protect users' privacy for data authorisation if the pre-selected nodes become untrusted, e.g., the pre-selected nodes are manipulated by attackers. When a user's credentials are exposed to pre-selected nodes in the consensus network during authorisation, the untrusted (or even malicious) pre-selected nodes may collect a user's credentials and other private information without the user's right to know. Therefore, the private data exposed to the consensus network should be tightly restricted. In this paper, we propose a challenge-response based authorisation scheme for permissioned blockchain networks named Challenge-Response Assisted Access Authorisation (CRA3) to protect users' credentials during authorisation. In CRA3, the pre-selected nodes in the consensus network do not require users' credentials to authorise data access requests to prevent privacy leakage when these nodes are compromised or manipulated by attackers. Furthermore, the computational burden on the consensus network for authorisation is reduced because the major computing work of the authorisation is executed by the data requester and provider in CRA3.

Meng Shen,Yuzhi Liu,Qinglin Zhao,Wei Wang,Wei Ou,Wenbao Han,Liehuang Zhu

2024-10-31

Abstract:As blockchain applications become increasingly widespread, there is a rising demand for on-chain data queries. However, existing schemes for on-chain data queries face a challenge between verifiability and efficiency. Queries on blockchain databases can compromise the authenticity of the query results, while schemes that utilize on-chain Authenticated Data Structure (ADS) have lower efficiency. To overcome this limitation, we propose an efficient and verifiable on-chain data query framework EVeCA. In our approach, we free the full nodes from the task of ADS maintenance by delegating it to a limited number of nodes, and full nodes verify the correctness of ADS by using challenge-based authentication scheme instead of reconstructing them, which prevents the service providers from maintaining incorrect ADS with overwhelming probability. By carefully designing the ADS verification scheme, EVeCA achieves higher efficiency while remaining resilient against adaptive attacks. Our framework effectively eliminates the need for on-chain ADS maintenance, and allows full nodes to participate in ADS maintenance in a cost-effective way. We demonstrate the effectiveness of the proposed scheme through security analysis and experimental evaluation. Compared to existing schemes, our approach improves ADS maintenance efficiency by about 20*.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Ye Lu,Tao Feng,Chunyan Liu,Wenbo Zhang

DOI: https://doi.org/10.32604/cmc.2023.046106

2024-01-01

Abstract:The Access control scheme is an effective method to protect user data privacy. The access control scheme based on blockchain and ciphertext policy attribute encryption (CP–ABE) can solve the problems of single—point of failure and lack of trust in the centralized system. However, it also brings new problems to the health information in the cloud storage environment, such as attribute leakage, low consensus efficiency, complex permission updates, and so on. This paper proposes an access control scheme with fine-grained attribute revocation, keyword search, and traceability of the attribute private key distribution process. Blockchain technology tracks the authorization of attribute private keys. The credit scoring method improves the Raft protocol in consensus efficiency. Besides, the interplanetary file system (IPFS) addresses the capacity deficit of blockchain. Under the premise of hiding policy, the research proposes a fine-grained access control method based on users, user attributes, and file structure. It optimizes the data-sharing mode. At the same time, Proxy Re-Encryption (PRE) technology is used to update the access rights. The proposed scheme proved to be secure. Comparative analysis and experimental results show that the proposed scheme has higher efficiency and more functions. It can meet the needs of medical institutions.

computer science, information systems,materials science, multidisciplinary

Yaoliang Chen,Shi Chen,Jiao Liang,Lance Warren Feagan,Weili Han,Sheng Huang,X. Sean Wang

DOI: https://doi.org/10.1016/j.is.2020.101590

IF: 3.18

2020-01-01

Information Systems

Abstract:Blockchain is an emerging data management technology that enables people in a collaborative network to establish trusted connections with the other participants. Recently consortium blockchains have raised interest in a broader blockchain technology discussion. Instead of a fully public, autonomous network, consortium blockchain supports a network where participants can be limited to a subset of users and data access strictly controlled. Access control policies should be defined by the respective data owner and applied throughout the network without requiring a centralized data administrator. As a result, decentralized data access control (DDAC) emerges as a fundamental challenge for such systems. However, we show from a trust model for consortium collaborative networks that current consortium blockchain systems provide limited support for DDAC. Further, the distributed, replicated nature of blockchain makes it even more challenging to control data access, especially read access, compared with traditional DBMSes. We investigate possible strategies to protect data from being read by unauthorized users in consortium blockchain systems using combinations of ledger partitioning and encryption strategies. A general framework is proposed to help inexperienced users determine appropriate strategies under different application scenarios. The framework was implemented on top of Hyperledger Fabric to evaluate feasibility. Experimental results along with a real-world case study contrasted the performance of different strategies under various conditions and the practicality of the proposed framework.

Xuanmei Qin,Yongfeng Huang,Zhen Yang,Xing Li

DOI: https://doi.org/10.1016/j.sysarc.2020.101854

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:Ciphertext-policy attribute-based encryption(CP-ABE) has been widely studied and used in access control schemes for secure data sharing. Since in most of the existing attribute-based encryption methods, all user attributes are managed by a single central authority, it is easy to cause a single point of failure. Therefore, several multi-authority CP-ABE schemes are proposed to manage user attributes by multiple authorities. However, these schemes still do not eliminate the single point of failure in essence or suffer from high computation and communication overhead on data users. In this paper, we propose a Blockchain-based Multi-authority Access Control scheme called BMAC for sharing data securely. Shamir secret sharing scheme and permissioned blockchain (Hyperledger Fabric) are introduced to implement that each attribute is jointly managed by multiple authorities to avoid single point of failure. In addition, we take advantage of blockchain technology to establish trust among multiple authorities and exploit smart contracts to compute tokens for attributes managed across multiple management domains, which reduces communication and computation overhead on the data user side. Moreover, blockchain helps to record the access control process in a secure and auditable way. Finally, we analyze the security of the proposed algorithm. Further analysis and comparison show the performance of the proposed method.

Chao Yuan,Mi-xue Xu,Xueming Si,Bin Li

DOI: https://doi.org/10.1109/ICPADS.2017.00111

2017-01-01

Abstract:As a recently proposed public key primitive, attribute-base encryption(ABE) divided into Ciphertext-policy ABE (CP-ABE) and Key-policy ABE (KP-ABE) is a highly promising tool for the management and protection of data. And Blockchain, as one of the core technologies of Bitcoin that is the most representative cryptocurrency, has received extensive attentions recently. Supervision and privacy protection are two difficulties in blockchain. In this paper, a new scheme combining blockchain and accountable CP-ABE is proposed. In this scheme, each change of the data is recorded on the blockchain. And the different permissions of access are realized through ABE. If a malicious user shares a decryption key illegally, it will be considered illegal. Similarly, if the authority generates a decryption key for any unauthorized user, it also will be considered illegal. This scheme allows any third party to publicly verify the identity of a decryption key. And it is achievable for an auditor to publicly audit whether a malicious user or the authority should be responsible for an exposed decryption key, and the key abuser cannot deny it. At last this scheme is applied to the management of electronic documents.

Jingchi Zhang,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.2309.04125

2023-09-08

Abstract:In a traditional cloud storage system, users benefit from the convenience it provides but also take the risk of certain security and privacy issues. To ensure confidentiality while maintaining data sharing capabilities, the Ciphertext-Policy Attribute-based Encryption (CP-ABE) scheme can be used to achieve fine-grained access control in cloud services. However, existing approaches are impaired by three critical concerns: illegal authorization, key disclosure, and privacy leakage. To address these, we propose a blockchain-based data governance system that employs blockchain technology and attribute-based encryption to prevent privacy leakage and credential misuse. First, our ABE encryption system can handle multi-authority use cases while protecting identity privacy and hiding access policy, which also protects data sharing against corrupt authorities. Second, applying the Advanced Encryption Standard (AES) for data encryption makes the whole system efficient and responsive to real-world conditions. Furthermore, the encrypted data is stored in a decentralized storage system such as IPFS, which does not rely on any centralized service provider and is, therefore, resilient against single-point failures. Third, illegal authorization activity can be readily identified through the logged on-chain data. Besides the system design, we also provide security proofs to demonstrate the robustness of the proposed system.

Cryptography and Security

Zhongyuan Yao,Heng Pan,Xueming Si,Weihua Zhu

DOI: https://doi.org/10.1007/978-981-15-2777-7_20

2019-01-01

Abstract:Since its invention, the public blockchain has attracted more attention from both the academia and industry because of its fully decentralization and persistency features. However, the privacy issue in public blockchain is still challengeable. While there exists privacy preservation mechanisms proposed for the public blockchain, almost all of them can only solve partial of the privacy issue, either user privacy or data privacy indeed, in it. In this work, we present a decentralized access control encryption scheme which ensures user and data privacy simultaneously in public blockchain. With our cryptographic solution, the validity of one specific transaction can be publicly verified, while its content can only be retrieved by its intended receivers. Moreover, the origin of this transaction cannot be identified by any participant except the receivers in the network. Our analysis shows that our solution is really suitable to deploy in public blockchain and is proven secure under mathematical assumptions.

Haiping Si,Weixia Li,Nan Su,Tingting Li,Yanling Li,Chuanhu Zhang,Bacao Fernando,Changxia Sun

DOI: https://doi.org/10.1016/j.comcom.2024.05.012

IF: 5.047

2024-05-20

Computer Communications

Abstract:With the continuous maturation of blockchain technology and the increasing demands for various industry applications, data sharing and interoperability among different blockchain networks face significant challenges. Research on cross-chain interoperability mechanisms has facilitated data collaboration across organizations and industries, enhancing the value and utility of data. When engaging in cross-chain data interactions, access control ensures the security and privacy of data while promoting collaboration and information exchange among multiple chains. Attribute-based access control can provide fine-grained authorization support, matching complex business scenarios. However, publicly disclosed policies and attributes in a transparent blockchain network may pose privacy and security issues. To address these issues, this paper proposes a cross-heterogeneous multichain data access control scheme based on attributes and threshold homomorphic encryption, achieving fine-grained and secure cross-domain access control in cross-chain networks. This scheme uses the threshold Paillier cryptosystem to encrypt and conceal user attributes and access policies. Through smart contracts, homomorphic differential computation is performed on the ciphertext of policies and attributes, to protect data privacy. This solution leverages private key decryption shares from multiple relay nodes in the cross-chain network to jointly decrypt the computation results, providing secure access control in complex cross-chain scenarios. Security analysis and experimental results demonstrate that the proposed scheme ensures security with reasonable computational overhead, to meet the access control requirements in cross-chain networks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Peng Li,Dehua Zhou,Haobin Ma,Junzuo Lai

DOI: https://doi.org/10.1016/j.sysarc.2023.103033

IF: 5.836

2023-11-27

Journal of Systems Architecture

Abstract:With the rapid development of the healthcare industry, many Electronic Health Records (EHRs) have emerged in different healthcare centers. However, lots of personal medical data are stored directly in plaintext at a single healthcare center, which makes it suffer from the single point of failure and brings many security and privacy issues such as privacy information leakage or tampering. The combination of blockchain and attributed-based cryptography can effectively solve the above problems. Therefore, in order to enable flexible fine-grained access control and efficient data retrieval while achieving privacy protection, we employ the ciphertext-policy attributed-based encryption (CP-ABE) and ciphertext-policy attribute-based searchable encryption (CP-ABSE) to propose a hidden policy attribute-based access control scheme. In addition, we combine consortium blockchain and smart contract to provide secure and reliable search and outsourcing decryption. Finally, through the security analysis and experimental results, we demonstrate that our scheme is secure and efficient.

computer science, software engineering, hardware & architecture

Ronghua Xu,Yu Chen,Erik Blasch,Genshe Chen

DOI: https://doi.org/10.48550/arXiv.1810.01291

2018-10-01

Cryptography and Security

Abstract:Space situation awareness (SSA) includes tracking of active and inactive resident space objects (RSOs) and assessing the space environment through sensor data collection and processing. To enhance SSA, the dynamic data-driven applications systems (DDDAS) framework couples on-line data with off-line models to enhance system performance. Using feedback control, sensor management, and communications reliability. For information management, there is a need for identity authentication and access control to ensure the integrity of exchanged data as well as to grant authorized entities access right to data and services. Due to decentralization and heterogeneity of SSA systems, it is challenging to build an efficient centralized access control system, which could either be a performance bottleneck or the single point of failure. Inspired by the blockchain and smart contract technology, this paper introduces BlendCAC, a decentralized authentication and capability-based access control mechanism to enable effective protection for devices, services and information in SSA networks. To achieve secure identity authentication, the BlendCAC leverages the blockchain to create virtual trust zones and a robust identity-based capability token management strategy is proposed. A proof-of-concept prototype has been implemented on both resources-constrained devices and more powerful computing devices, and is tested on a private Ethereum blockchain network. The experimental results demonstrate the feasibility of the BlendCAC scheme to offer a decentralized, scalable, lightweight and fine-grained access control solution for space system towards SSA.

Wanxin Li,Collin Meese,Mark Nejad,Hao Guo

DOI: https://doi.org/10.1109/HotICN53262.2021.9680829

2023-05-26

Abstract:Consensus algorithms play a critical role in blockchains and directly impact their performance. During consensus processing, nodes need to validate and order the pending transactions into a new block, which requires verifying the application-specific data encapsulated within a transaction. This exposes the underlying data to the consensus nodes, presenting privacy concerns. Existing consensus algorithms focus on realizing application security and performance goals, but lack privacy-by-design properties or are resource-heavy and intended for securing permissionless blockchain networks. In this paper, we propose P-CFT, a zero-knowledge and crash fault tolerant consensus algorithm for permissioned blockchains. The proposed consensus algorithm provides inherent data privacy directly to the consensus layer, while still providing guarantees of crash fault tolerance. We conduct experiments using the Hyperledger Ursa cryptographic library, and the results show promise for integrating P-CFT into existing permissioned blockchain systems requiring privacy-preserving and crash fault tolerant features.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture

Wei-Tek Tsai,Xiaoying Bai,Lian Yu

DOI: https://doi.org/10.1109/SOSE.2017.32

2017-01-01

Abstract:A permissioned blockchain (BC) is a secure distributed ledger maintained by a number of trusted validation nodes. However, a validator may become compromised and send inconsistent messages to different nodes. To counter the problem, consensus protocols like Practical Byzantine Fault Tolerance (PBFT) can be used. The paper presents a permissioned BC system and discusses various design issues including control messages, block size and window size of block creation time. Furthermore, it is necessary to identify those compromised nodes discovered during the consensus protocol. This paper then proposes a reputation system to track the trustworthiness of nodes as it is necessary to distinguish failed nodes from compromised nodes. A compromised node may send inconsistent messages to others or accuse other nodes compromised, and it should be removed as soon as it is identified and confirmed.

Mizhipeng Zhang,Chentao Wu,Jie Li,Minyi Guo

DOI: https://doi.org/10.1007/s11704-023-3209-3

IF: 2.6688

2024-01-01

Frontiers of Computer Science

Abstract:Blockchain as a decentralized storage technology is widely used in many fields. It has extremely strict requirements for reliability because there are many potentially malicious nodes. Generally, blockchain is a chain storage structure formed by interconnecting blocks, which are stored by full replication method, where each node stores a replica of all blocks and the data consistency is maintained by the consensus protocol. To decrease the storage overhead, previous approaches such as BFT-Store and Partition Chain store blocks via erasure codes. However, existing erasure coding based methods utilize static encoding schema to tolerant f malicious nodes, but in the typical cases, the number of malicious nodes is much smaller than f as described in previous literatures. Using redundant parities to tolerate excessive malicious nodes introduces unnecessary storage overhead. To solve the above problem, we propose Dynamic-EC, which is a Dynamic Erasure Coding method in permissioned blockchain systems. The key idea of Dynamic-EC is to reduce the storage overhead by dynamically adjusting the total number of parities according to the risk level of the whole system, which is determined by the number of perceived malicious nodes, while ensuring the system reliability. To demonstrate the effectiveness of Dynamic-EC, we conduct several experiments on an open source blockchain software Tendermint. The results show that, compared to the state-of-the-art erasure coding methods, Dynamic-EC reduces the storage overhead by up to 42

V. Ezhil Arasi,K. Indra Gandhi,K. Kulothungan

DOI: https://doi.org/10.1007/s11227-021-04293-3

IF: 3.3

2022-01-26

The Journal of Supercomputing

Abstract:Data security in cloud data sharing system is effectively ensured by data access control mechanism. Data access control becomes more challenging because of intruders and malicious cloud servers. Most of the traditional approaches do not consider the issues in controlling user accessing cloud data storage and sharing. Ciphertext policy attribute-based encryption is one of the most effective techniques that provide secure data access control for sensitive data outsourced in cloud storage. However, in traditional cloud data sharing system, there are several issues regarding transaction traceability, user authorization, data ownership management and access control preservation. Also, traditional access control schemes do not have an effective method to compensate cloud users whose data integrity is lost. To handle these issues, we propose a new data sharing system auditable attribute-based encryption scheme that integrates the advantages of blockchain technology with attribute-based access control. We designed a trustworthy scheme which uses blockchain to provide attribute-based secure data sharing with integrity auditing. It also provides compensation to data owners, if their data integrity is lost. The security analysis demonstrates the improvement in performance of the proposed access control scheme over existing data sharing schemes. It provides efficient and secure data sharing, reliable traceability and equitable mediation. Thus, the proposed approach preserves the integrity, privacy, security and consistency of the stored data, thereby guaranteeing authorized data access control to cloud users.

Xinyi Luo,Kaiping Xue,Zhuo Xu,Mingrui Ai,Jianan Hong,Xianchao Zhang,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/tdsc.2024.3418617

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The lack of privacy-preserving capabilities hinders the further development of blockchains and smart contracts. While numerous privacy solutions have been proposed, limitations persist. Firstly, most existing solutions focus on specific privacy protections such as anonymous payments, private data, or multi-party computation tasks. However, these solutions lack a general privacy ability, allowing users to deploy applications with diverse privacy requirements. Secondly, existing solutions have limited customizability, which means users cannot easily customize and adapt the privacy policies according to their specific demands or preferences. In this paper, we present EtherCloak, which adopts trusted execution environments (TEEs) to achieve a general and customizable privacy policy on account model blockchains, enabling users to conceal any on-chain information. To address the security issues caused by the unreliability of the host the TEE runs on, we design the enclave state check and crash recovery mechanisms and employ them in the block generation process. In addition, we propose an access control mechanism for privacy policy management and data query. We prove that EtherCloak offers general and customizable privacy protection with a minimal increase in transaction size (less than triple) and communication overhead (approximately 10%) compared to Ethereum.

Yin Zhang,Ling Xiong,Fagen Li,Xianhua Niu,Hanzhou Wu

DOI: https://doi.org/10.1016/j.sysarc.2023.102949

IF: 5.836

2023-01-01

Journal of Systems Architecture

Abstract:Blockchain-based authentication mode, a fundamental solution to prevent unauthorized access behavior, gradually becomes a focus in future distributed mobile cloud computing (MCC) services. However, due to the transparent and immutable characteristics of blockchain, users' access behaviors are facing huge security and privacy threats. Storing the encrypted data on chain is an effective way to address these issues, but access permission confirmation and update in the form of ciphertext is the main bottleneck. To this end, this paper proposes a blockchain-based unified authentication and hierarchical access control scheme for the MCC environment, which provides both privacy protection and auditability. In the proposed scheme, users can access multiple MCC services with different access permissions using a single credential. To protect the privacy of both users and service providers, while still supporting auditability, the data on the public ledger is blinded using Pedersen commitments. Besides, the proposed scheme provides flexible dynamic updating in encrypted form. Theoretical analysis indicates that the proposed scheme can meet various security and privacy requirements in the MCC environment. Compared with related schemes, it has better communication efficiency. Therefore, the proposed scheme is more suitable for the actual MCC environment.

Shunrong Jiang,Haiqin Wu,Liangmin Wang

DOI: https://doi.org/10.1109/globecom38437.2019.9013220

2019-01-01

Abstract:The large-scale deployment of eHealth systems has brought deep impact on human society. However, the centralized Electronic health records (EHRs) outsourcing system faces some critical security and privacy issues, which have raised wide concerns in both academia and industry. Moreover, the patients lose control of their health data. There is a need to construct a decentralized and secure EHRs with more flexible control by patients themselves instead of the third party. Fortunately, we observe that the characteristics of blockchain technology such as decentralization, immutability, and auditability perfectly match these aforementioned requirements. Specifically, to satisfy our application requirements, we build a consortium blockchain (PESchain) which is maintained by a set of medical institutions. The EHRs of patients are encrypted and stored in the medical institutions by local cloud while the corresponding hash values are stored on PESchain. Moreover, to enable privacy-preserving EHRs sharing, we construct a stealth authorization scheme to achieve access authorization delivery on the blockchain. Besides, we pack the transactions according to different types to guarantee efficient block deletion. The security analysis and performance evaluation show that PESchain is secure and practical for EHRs sharing.