Jianting Ning,Zhenfu Cao,Xiaolei Dong,Kaitai Liang,Lifei Wei,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/tsc.2018.2791538

IF: 11.019

2019-01-01

IEEE Transactions on Services Computing

Abstract:Secure cloud storage, which is an emerging cloud service, is designed to protect the confidentiality of outsourced data but also to provide flexible data access for cloud users whose data is out of physical control. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is regarded as one of the most promising techniques that may be leveraged to secure the guarantee of the service. However, the use of CP-ABE may yield an inevitable security breach which is known as the misuse of access credential (i.e., decryption rights), due to the intrinsic “all-or-nothing” decryption feature of CP-ABE. In this paper, we investigate the two main cases of access credential misuse: one is on the semi-trusted authority side, and the other is on the side of cloud user. To mitigate the misuse, we propose the first accountable authority and revocable CP-ABE based cloud storage system with white-box traceability and auditing, referred to as CryptCloud±. We also present the security analysis and further demonstrate the utility of our system via experiments.

Kan Yang,Zhen Liu,Xiaohua Jia,Xuemin Sherman Shen

DOI: https://doi.org/10.1109/tmm.2016.2535728

IF: 7.3

2016-01-01

IEEE Transactions on Multimedia

Abstract:With the ever-increasing demands on multimedia applications, cloud computing, due to its economical but powerful resources, is becoming a natural platform to process, store, and share multimedia contents. However, the employment of cloud computing also brings new security and privacy issues as few public cloud servers can be fully trusted by users. In this paper, we focus on how to securely share video contents to a certain group of people during a particular time period in cloud-based multimedia systems, and propose a cryptographic approach, a provably secure time-domain attribute-based access control (TAAC) scheme, to secure the cloud-based video content sharing. Specifically, we first propose a provably secure time-domain attribute-based encryption scheme by embedding the time into both the ciphertexts and the keys, such that only users who hold sufficient attributes in a specific time slot can decrypt the video contents. We also propose an efficient attribute updating method to achieve the dynamic change of users' attributes, including granting new attributes, revoking previous attributes, and regranting previously revoked attributes. We further discuss on how to control those video contents that can be commonly accessed in multiple time slots and how to make special queries on video contents generated in previous time slots. The security analysis and performance evaluation show that TAAC is provably secure in generic group model and efficient in practice.

Jianan Hong,Kaiping Xue,Wei Li,Yingjie Xue

DOI: https://doi.org/10.1109/tsc.2017.2682090

2015-01-01

Abstract:The new paradigm of outsourcing data to the cloud is a double-edged sword. On one side, it frees up data owners from the technical management, and is easier for the data owners to share their data with intended recipients when data are stored in the cloud. On the other side, it brings about new challenges about privacy and security protection. To protect data confidentiality against the honest-but-curious cloud service provider, numerous works have been proposed to support fine-grained data access control. However, till now, no efficient schemes can provide the scenario of fine-grained access control together with the capacity of time-sensitive data publishing. In this paper, by embedding the mechanism of timed-release encryption into CP-ABE (Ciphertext-Policy Attribute-based Encryption), we propose TAFC: a new time and attribute factors combined access control on time-sensitive data stored in cloud. Extensive security and performance analysis shows that our proposed scheme is highly efficient and satisfies the security requirements for time-sensitive data storage in public cloud.

Wei Li,Kaiping Xue,Yingjie Xue,Jianan Hong

DOI: https://doi.org/10.1109/tpds.2015.2448095

IF: 5.3

2015-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Attribute-based Encryption (ABE) is regarded as a promising cryptographic conducting tool to guarantee data owners' direct control over their data in public cloud storage. The earlier ABE schemes involve only one authority to maintain the whole attribute set, which can bring a single-point bottleneck on both security and performance. Subsequently, some multi-authority schemes are proposed, in which multiple authorities separately maintain disjoint attribute subsets. However, the single-point bottleneck problem remains unsolved. In this paper, from another perspective, we conduct a threshold multi-authority CP-ABE access control scheme for public cloud storage, named TMACS, in which multiple authorities jointly manage a uniform attribute set. In TMACS, taking advantage of (t,n) threshold secret sharing, the master key can be shared among multiple authorities, and a legal user can generate his/her secret key by interacting with any t authorities. Security and performance analysis results show that TMACS is not only verifiable secure when less than t authorities are compromised, but also robust when no less than t authorities are alive in the system. Furthermore, by efficiently combining the traditional multi-authority scheme with TMACS, we construct a hybrid one, which satisfies the scenario of attributes coming from different authorities as well as achieving security and system-level robustness.

Jianting Ning,Zhenfu Cao,Xiaolei Dong,Lifei Wei

DOI: https://doi.org/10.1109/tdsc.2016.2608343

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Ciphertext-policy attribute-based encryption (CP-ABE) has been proposed to enable fine-grained access control on encrypted data for cloud storage service. In the context of CP-ABE, since the decryption privilege is shared by multiple users who have the same attributes, it is difficult to identify the original key owner when given an exposed key. This leaves the malicious cloud users a chance to leak their access credentials to outsourced data in clouds for profits without the risk of being caught, which severely damages data security. To address this problem, we add the property of traceability to the conventional CP-ABE. To catch people leaking their access credentials to outsourced data in clouds for profits effectively, in this paper, we first propose two kinds of non-interactive commitments for traitor tracing. Then we present a fully secure traceable CP-ABE system for cloud storage service from the proposed commitment. Our proposed commitments for traitor tracing may be of independent interest, as they are both pairing-friendly and homomorphic. We also provide extensive experimental results to confirm the feasibility and efficiency of the proposed solution.

Xiong Li,Saru Kumari,Jian Shen,Fan Wu,Caisen Chen,SK Hafizul Islam

DOI: https://doi.org/10.1007/s11277-016-3742-6

IF: 2.017

2016-01-01

Wireless Personal Communications

Abstract:Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Niu Shaozhang,Tu Shanshan,Huang Yongfeng

DOI: https://doi.org/10.1049/cje.2015.07.015

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:Cloud computing services have got rapid development in the field of the lightweight terminal, especially wireless communications. The comprehensive access control system framework is proposed for the cloud. A kind of access control scheme based on attribute encryption is designed, in which lightweight devices can safely use cloud computing resources to outsource encrypt/decrypt operations, and not worry for exposing terminal sensitive data. The scheme is verified by performance evaluation about the security, computing, storage, to ensure the legitimate interests of users in the cloud.

Xiaoyu Li,Shaohua Tang,Lingling Xu,Huaqun Wang,Jie Chen

DOI: https://doi.org/10.1109/access.2016.2609884

IF: 3.9

2016-01-01

IEEE Access

Abstract:Attribute-based encryption, especially for ciphertext-policy attribute-based encryption, can fulfill the functionality of fine-grained access control in cloud storage systems. Since users' attributes may be issued by multiple attribute authorities, multi-authority ciphertext-policy attribute-based encryption is an emerging cryptographic primitive for enforcing attribute-based access control on outsourced data. However, most of the existing multi-authority attribute-based systems are either insecure in attribute-level revocation or lack of efficiency in communication overhead and computation cost. In this paper, we propose an attribute-based access control scheme with two-factor protection for multi-authority cloud storage systems. In our proposed scheme, any user can recover the outsourced data if and only if this user holds sufficient attribute secret keys with respect to the access policy and authorization key in regard to the outsourced data. In addition, the proposed scheme enjoys the properties of constant-size ciphertext and small computation cost. Besides supporting the attribute-level revocation, our proposed scheme allows data owner to carry out the user-level revocation. The security analysis, performance comparisons, and experimental results indicate that our proposed scheme is not only secure but also practical.

Liang Yan,Lina Ge,Zhe Wang,Guifen Zhang,Jingya Xu,Zheng Hu

DOI: https://doi.org/10.1186/s13677-023-00444-4

2023-04-19

Journal of Cloud Computing

Abstract:With the rapid development of cloud computing technology, how to achieve secure access to cloud data has become a current research hotspot. Attribute-based encryption technology provides the feasibility to achieve the above goal. However, most of the existing solutions have high computational and trust costs. Furthermore, the fairness of access authorization and the security of data search can be difficult to guarantee. To address these issues, we propose a novel access control scheme based on blockchain and attribute-based searchable encryption in cloud environment. The proposed scheme achieves fine-grained access control with low computation consumption by implementing proxy encryption and decryption, while supporting policy hiding and attribute revocation. The encrypted file is stored in the IPFS and the metadata ciphertext is stored on the blockchain, which ensures data integrity and confidentiality. Simultaneously, the scheme enables the secure search of ciphertext keyword in an open and transparent blockchain environment. Additionally, an audit contract is designed to constrain user access behavior to dynamically manage access authorization. Security analysis proves that our scheme is resistant to chosen-plaintext attacks and keyword-guessing attacks. Theoretical analysis and experimental results show that our scheme has high computational and storage efficiency, which is more advantageous than other schemes.

V. Ezhil Arasi,K. Indra Gandhi,K. Kulothungan

DOI: https://doi.org/10.1007/s11227-021-04293-3

IF: 3.3

2022-01-26

The Journal of Supercomputing

Abstract:Data security in cloud data sharing system is effectively ensured by data access control mechanism. Data access control becomes more challenging because of intruders and malicious cloud servers. Most of the traditional approaches do not consider the issues in controlling user accessing cloud data storage and sharing. Ciphertext policy attribute-based encryption is one of the most effective techniques that provide secure data access control for sensitive data outsourced in cloud storage. However, in traditional cloud data sharing system, there are several issues regarding transaction traceability, user authorization, data ownership management and access control preservation. Also, traditional access control schemes do not have an effective method to compensate cloud users whose data integrity is lost. To handle these issues, we propose a new data sharing system auditable attribute-based encryption scheme that integrates the advantages of blockchain technology with attribute-based access control. We designed a trustworthy scheme which uses blockchain to provide attribute-based secure data sharing with integrity auditing. It also provides compensation to data owners, if their data integrity is lost. The security analysis demonstrates the improvement in performance of the proposed access control scheme over existing data sharing schemes. It provides efficient and secure data sharing, reliable traceability and equitable mediation. Thus, the proposed approach preserves the integrity, privacy, security and consistency of the stored data, thereby guaranteeing authorized data access control to cloud users.

Zechao Liu,Zoe L. Jiang,Xuan Wang,S. M. Yiu,Ruoqing Zhang,Yulin Wu

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00092

2018-01-01

Abstract:Cloud storage service allows data owners to store their (encrypted) data in a remote and may be untrusted cloud server. Attribute-Based Encryption (ABE) provides an excellent and flexible solution for data access control. As more and more applications evolved, ABE schemes may not handle all scenarios, in particular, if the access control has a time and location constraint. Time and location attributes are not as static as other general attributes. Existing ABE schemes cannot efficiently handle the continuous range of an attribute making it impractical for temporal and spatial constraints that are changing dynamically. In this paper, we propose a novel temporal and spatial constrained attribute-based access control (TSC-ABAC) scheme to solve this problem. Our system adopts a redesigned access structure and makes use of multi-dimensional range derivation function to match the time domain. This is the first ABE scheme that can efficiently handle time and location elements simultaneously. We further propose an extended TSC-ABAC scheme, which aims at reducing the decryption cost imposed on user. A thorough security and performance analysis shows that our design is secure and efficient. The result of our work could provide a feasible and practical data access control scheme for cloud storage services.

Ping-ping LIU,Lin-ying YAN

DOI: https://doi.org/10.16185/j.jxatu.edu.cn.2015.05.003

2015-01-01

Abstract:For the purpose of secure cloud storage ,a secure cloud storage access control system scheme is proposed in this paper .In the scheme ,Linux and Hadoop are used to build the cloud platform .T he role-based access control method is employed to test identity and to access nonsensitive data . And the attribute encryption algorithm is applyed to encrypt/decrypt data .Experiment show s that this scheme can effectively ensure the integrity and confidentiality of data in the cloud storage .

Xin Liu,Hao Wang,Bo Zhang,Bin Zhang

DOI: https://doi.org/10.1016/j.ins.2021.10.038

IF: 8.1

2022-01-01

Information Sciences

Abstract:In a data access control system oriented toward the cloud storage environment, a data owner defines attribute-based access control policies for data files to realize fine-grained data sharing. However, the existing schemes have defects in user execution efficiency and user privacy protection, and they do not consider the problems of user revocation and attribute updates. To this end, we propose a ciphertext policy attribute-based encryption method with verifiable outsourced decryption; this requires a user to complete decryption with the help of a server, but the results of the outsourced decryption can be verified independently. With this new encryption scheme and the technique of k-times anonymous authentication, a new fine-grained data access control system was constructed; this system allows a server to provide users with outsourced decryption services, and users’ computation cost is independent of the size of the underlying access control policy. Moreover, the number of outsourced decryption requests is limited. In addition, the new system supports user revocation and attribute updates and it is provably secure under formal proofs. An efficiency analysis shows that it can be compared with other similar systems in terms of performance, despite the addition of several practical properties.

computer science, information systems

Jiawei Zhang,Teng Li,Qi Jiang,Jianfeng Ma

DOI: https://doi.org/10.1186/s13638-021-02072-5

Abstract:With the assistance of emerging techniques, such as cloud computing, fog computing and Internet of Things (IoT), smart city is developing rapidly into a novel and well-accepted service pattern these days. The trend also facilitates numerous relevant applications, e.g., smart health care, smart office, smart campus, etc., and drives the urgent demand for data sharing. However, this brings many concerns on data security as there is more private and sensitive information contained in the data of smart city applications. It may incur disastrous consequences if the shared data are illegally accessed, which necessitates an efficient data access control scheme for data sharing in smart city applications with resource-poor user terminals. To this end, we proposes an efficient traceable and revocable time-based CP-ABE (TR-TABE) scheme which can achieve time-based and fine-grained data access control over large attribute universe for data sharing in large-scale smart city applications. To trace and punish the malicious users that intentionally leak their keys to pursue illicit profits, we design an efficient user tracing and revocation mechanism with forward and backward security. For efficiency improvement, we integrate outsourced decryption and verify the correctness of its result. The proposed scheme is proved secure with formal security proof and is demonstrated to be practical for data sharing in smart city applications with extensive performance evaluation.

Kaiping Xue,Yingjie Xue,Jianan Hong,Wei Li,Hao Yue,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2016.2647222

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data access control is a challenging issue in public cloud storage systems. Ciphertext-policy attribute-based encryption (CP-ABE) has been adopted as a promising technique to provide flexible, fine-grained, and secure data access control for cloud storage with honest-but-curious cloud servers. However, in the existing CP-ABE schemes, the single attribute authority must execute the time-consuming user legitimacy verification and secret key distribution, and hence, it results in a single-point performance bottleneck when a CP-ABE scheme is adopted in a large-scale cloud storage system. Users may be stuck in the waiting queue for a long period to obtain their secret keys, thereby resulting in low efficiency of the system. Although multiauthority access control schemes have been proposed, these schemes still cannot overcome the drawbacks of single-point bottleneck and low efficiency, due to the fact that each of the authorities still independently manages a disjoint attribute set. In this paper, we propose a novel heterogeneous framework to remove the problem of single-point performance bottleneck and provide a more efficient access control scheme with an auditing mechanism. Our framework employs multiple attribute authorities to share the load of user legitimacy verification. Meanwhile, in our scheme, a central authority is introduced to generate secret keys for legitimacy verified users. Unlike other multi-authority access control schemes, each of the authorities in our scheme manages the whole attribute set individually. To enhance security, we also propose an auditing mechanism to detect which attribute authority has incorrectly or maliciously performed the legitimacy verification procedure. Analysis shows that our system not only guarantees the security requirements but also makes great performance improvement on key generation.

Jingsi REN,Jinlin WANG,Xiao CHEN,Xiaozhou YE

DOI: https://doi.org/10.3969/j.issn.2095-347X.2017.04.002

2017-01-01

Abstract:Traditional ABE schemes rely on a single authority,which is not suitable for large-scale data storage.In order to solve this problem,we present a novel decentralized attribute-based access control scheme for cloud storage environment.The proposed scheme has the following features:①Multiple authorities are independent,without the need for any central authority or global coordination;②The scheme supports any LSSS access structure and can easily carry out fine-granted access control;③We apply proxy re-encryption technique to resolve the issue of user revocation in decentralized ABE schemes.Security analysis and performance assessment show that our scheme is reliable,and can take into account both flexibility and efficiency.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Su Huang,Yuan Luo

DOI: https://doi.org/10.1049/cp.2014.1263

2014-01-01

Abstract:Cloud storage services enable users to remotely store their data and conveniently share their information. One critical issue is how to achieve data security and realize data access policy in cloud storage services. Existing schemes based on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) have been proposed to achieve secure access control for outsourced data in cloud computing. However, due to the inefficiency of decryption and the inflexibility, most of these schemes are not suitable to realize distributed access control for cloud storage systems. In this paper, we propose a fully distributed, scalable and effective data access control scheme to encrypt and decrypt data, which bases on the lowest density maximum distance separable (LD-MDS) code.The introduction of the LD-MDS code in this field improves performance greatly in decryption stage. Security analysis indicates that the proposed scheme is secure and achieves fine-grained access control, collusion resistant, backward security and forward security simultaneously. Extensive performance analysis and experiment show that our scheme is much more efficient than existing CP-ABE system in cloud storage services.

Guowen Xu,Shengmin Xu,Jinhua Ma,Jianting Ning,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2023.3305870

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud computing has been widely accepted as a computing paradigm to offer high-quality data services on demand. However, it suffers from various attacks as the cloud service provider and data owners are not in the same trusted domain. To support data confidentiality, existing cloud-based systems apply cryptographic tools to issue the decryption key to data users to share data in a controlled way. However, fine-grained cloud data sharing still faces many challenges, especially when dealing with dynamic user groups. In this paper, we introduce a secure and efficient cloud-based data-sharing system with fine-grained access control and dynamic user groups. Our system enjoys 1) adaptive security in prime-order groups, 2) forward secrecy against revoked user fetches data generated before being revoked, and 3) decryption key exposure resistance against the compromise of the frequently used decryption key, where the previous solutions only concentrate on one or two above-mentioned properties. More specifically, we introduce two timestamp management mechanisms that manage the timestamp in each ciphertext to support dynamic user groups with forward secrecy. By applying the proposed timestamp management mechanisms, we introduce two novel designs of attribute-based encryption schemes with formal definition and security analyses. The proposed schemes are adaptively secure in prime-order groups under a standard assumption and support decryption key exposure resistance. We conduct theoretical analysis and experimental simulation to demonstrate the outperformance of our solutions.