Jian Wang,Chunxiao Ye,Yangfei Ou

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00092

2019-01-01

Abstract:Cloud computing have brought a lot of advantages, such as reducing the hardware cost and providing a convenient cloud storage service. More and more people choose to put their private data in the cloud. However, due to data outsourcing and seminal-trusted cloud servers, data access control has becoming a challenging issue. To protect data security and privacy, some ciphertext policy attribute-based encryption (CP-ABE) schemes have been applied to cloud data access control. However, there are two dynamic issues, namely attribute revocation and policy updating, that need to be solved in the existing CP-ABE schemes. In this paper, we propose a fine-grained dynamic multi-authority cloud data access control scheme, which can solve the above two problems. Besides, our scheme can also support user revocation, which make it more practical. The analysis and simulation results show that our scheme is secure in the random oracle model and is efficient.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Su Huang,Yuan Luo

DOI: https://doi.org/10.1049/cp.2014.1263

2014-01-01

Abstract:Cloud storage services enable users to remotely store their data and conveniently share their information. One critical issue is how to achieve data security and realize data access policy in cloud storage services. Existing schemes based on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) have been proposed to achieve secure access control for outsourced data in cloud computing. However, due to the inefficiency of decryption and the inflexibility, most of these schemes are not suitable to realize distributed access control for cloud storage systems. In this paper, we propose a fully distributed, scalable and effective data access control scheme to encrypt and decrypt data, which bases on the lowest density maximum distance separable (LD-MDS) code.The introduction of the LD-MDS code in this field improves performance greatly in decryption stage. Security analysis indicates that the proposed scheme is secure and achieves fine-grained access control, collusion resistant, backward security and forward security simultaneously. Extensive performance analysis and experiment show that our scheme is much more efficient than existing CP-ABE system in cloud storage services.

Jianting Ning,Zhenfu Cao,Xiaolei Dong,Kaitai Liang,Lifei Wei,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/tsc.2018.2791538

IF: 11.019

2019-01-01

IEEE Transactions on Services Computing

Abstract:Secure cloud storage, which is an emerging cloud service, is designed to protect the confidentiality of outsourced data but also to provide flexible data access for cloud users whose data is out of physical control. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is regarded as one of the most promising techniques that may be leveraged to secure the guarantee of the service. However, the use of CP-ABE may yield an inevitable security breach which is known as the misuse of access credential (i.e., decryption rights), due to the intrinsic “all-or-nothing” decryption feature of CP-ABE. In this paper, we investigate the two main cases of access credential misuse: one is on the semi-trusted authority side, and the other is on the side of cloud user. To mitigate the misuse, we propose the first accountable authority and revocable CP-ABE based cloud storage system with white-box traceability and auditing, referred to as CryptCloud±. We also present the security analysis and further demonstrate the utility of our system via experiments.

Yu-ding WANG,Jia-hai YANG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2018.01.033

2018-01-01

Abstract:Currently,the most common encryption scheme of cloud computing access control system is CP-ABE,but the conventional CP-ABE encryption did not deal with the issue of user's access permission;data owners only allow the users to read the data but not to write,such kind of coarse access control mechanism is not flexible and low efficiency.To deal with this issue,the paper proposes a Data Access Control scheme with access Permission for Cloud Computing (DACPCC),it sets permission control keys to encrypt the data in cloud based on CP-ABE;the data owner controls the data's access permission by choosing the permission control keys.The paper illustrates the design details of the proposed scheme,then theoretically proves the security and evaluates the performance through simulated experiments;the results show that DACPCC allows the data owners to control the access permission of the data,and it is safe and more efficient.

Anping Xiong,Chunxiang Xu

DOI: https://doi.org/10.1080/10798587.2015.1095488

2015-01-01

Abstract:Ciphertext Policy Attribute-Based Encryption ( CP-ABE) has been widely studied in recent years because it is more suitable for access control of shared data under cloud storage environment. In view of problems of flexibility and efficiency of the existing encryption schemes under cloud storage environment, combined with digital envelopes technology, the paper puts forward an optimized scheme based on supporting fine-grained access control. The scheme has the following advantages: Adopting digital envelopes technology, reducing the computational overhead of Data Owner significantly on the basis of the ensuring data confidentiality, using proxy re-encryption technology to realize the support of user and attribute revocation flexibly, furthermore, the backward and forward secrecy also have been ensured. Adopting security protocols to distribute the shared keys between users and cloud storage server, cloud storage server can save the overhead in maintenance of a large user key's tree. Security and performance analysis show that Cloud storage access control scheme of ciphertext algorithm based on digital envelope can ensure the confidentiality of data, resist collusion attack with forward and backward security, and also reduce the calculation works of the user owners and accessing users.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

xiao wei gao,ze min jiang,Rui Jiang

DOI: https://doi.org/10.4028/www.scientific.net/AMR.756-759.2649

2012-01-01

Advanced Materials Research

Abstract:Recently, Hota et al. present a Capability-based Cryptographic Data Access Control in Cloud Computing. This scheme implements data storage, user authorization, data access and integrity checking. However, we find two fatal attacks in the data exchange between CSP and User. These attacks makes a registered user can intercept another legal user's file and decipher it. To avoid these attacks, we give an improvement to Hota et al's scheme and can resist theses attacks. Meantime, to make Hota's scheme be applicable, we propose a novel data access protocol in cloud computing. Our scheme guarantees data confidentiality and secure data access between User and CSP. Security analysis shows that the scheme can resist various attacks.

Qian Xu,Chengxiang Tan,Zhijie Fan,Wenye Zhu,Ya Xiao,Fujia Cheng

DOI: https://doi.org/10.1109/access.2018.2844829

IF: 3.9

2018-01-01

IEEE Access

Abstract:Nowadays, secure data access control has become one of the major concerns in a cloud storage system. As a logical combination of attribute-based encryption and attribute-based signature, attribute-based signcryption (ABSC) can provide confidentiality and an anonymous authentication for sensitive data and is more efficient than traditional ``encrypt-then-sign”or ``sign-then-encrypt”strategies. Thus, ABSC is suitable for fine-grained access control in a semi-trusted cloud environment and is gaining more and more attention in recent years. However, in many previous ABSC schemes, user's sensitive attributes can be disclosed to the authority, and only a single authority that is responsible for attribute management and key generation exists in the system. In this paper, we propose PMDAC-ABSC, a novel privacy-preserving data access control scheme based on Ciphertext-Policy ABSC, to provide a fine-grained control measure and attribute privacy protection simultaneously in a multi-authority cloud storage system. The attributes of both the signcryptor and the designcryptor can be protected to be known by the authorities and cloud server. Furthermore, the decryption overhead for user is significantly reduced by outsourcing the undesirable bilinear pairing operations to the cloud server without degrading the attribute privacy. The proposed scheme is proven to be secure in the standard model and has the ability to provide confidentiality, unforgeability, anonymous authentication, and public verifiability. The security analysis, asymptotic complexity comparison, and implementation results indicate that our construction can balance the security goals with practical efficiency in computation.

Jingsi REN,Jinlin WANG,Xiao CHEN,Xiaozhou YE

DOI: https://doi.org/10.3969/j.issn.2095-347X.2017.04.002

2017-01-01

Abstract:Traditional ABE schemes rely on a single authority,which is not suitable for large-scale data storage.In order to solve this problem,we present a novel decentralized attribute-based access control scheme for cloud storage environment.The proposed scheme has the following features:①Multiple authorities are independent,without the need for any central authority or global coordination;②The scheme supports any LSSS access structure and can easily carry out fine-granted access control;③We apply proxy re-encryption technique to resolve the issue of user revocation in decentralized ABE schemes.Security analysis and performance assessment show that our scheme is reliable,and can take into account both flexibility and efficiency.

Zechao Liu,Zoe L. Jiang,Xuan Wang,S.M. Yiu,Chunkai Zhang,Xiaomeng Zhao

DOI: https://doi.org/10.1109/TrustCom.2016.0055

2016-01-01

Abstract:Cloud storage service allows data owner to store their big data in the cloud and provides data access to the users. As the cloud server is not trustworthy, we cannot rely on the server to conduct data access control. To protect data security and privacy, Attribute-Based Encryption (ABE) is a promising technique for data access control in cloud storage, because it provides data owner more direct control on access policies. However, there are two dynamic issues, namely attribute revocation and policy updating, that should be solved first before deploying ABE in practice. In this paper, we design a dynamic attribute-based access control scheme, which can solve the above two problems simultaneously. Besides, our scheme can support large universe of attributes, which makes it more available in cloud storage system. The proposed scheme is proved statically secure in random oracle model.

Zhenyao Qiu,Zhiwei Zhang,Shichong Tan,Jianfeng Wang,Xiaoling Tao

DOI: https://doi.org/10.3966/160792642019052003002

2019-01-01

Abstract:Cloud storage is facing the contradiction between data security and flexible data sharing, and therefore the cryptographic access control mechanisms are well studied. In particular, hierarchical access control in cloud storage is significant for many application scenarios. In these scenarios, the users are divided into several groups organized in a hierarchy, and they are assigned with different access privileges according to their groups and levels. That is, the users in higher level groups can access the data belonging to their subordinate groups while the users in lower level groups cannot access the data belonging to their superior groups. However, most of the existing hierarchical access control solutions seem to be unpractical for their inability of scalable data sharing, inefficiency of key management or lack of delegated reencryption. In this paper, we propose a new hierarchical access control scheme based on key-aggregate encryption, and the proposed scheme realizes scalable data sharing in cloud storage which allows the users to share data with any user group. In the proposed scheme, the size of each key or ciphertext is constant and irrelevant to the scale of hierarchical user structure. Especially, our scheme improves the convenience of key management by cutting off the key derivation widely used in the existing hierarchical key assignment methods. Furthermore, the proposed scheme reduces the users' updating overhead by introducing the delegated re-encryption into the hierarchical scenarios. Finally, the security analysis and the performance evaluation indicate that our scheme is feasible for the hierarchical data sharing applications in cloud storage.

Xiong Li,Saru Kumari,Jian Shen,Fan Wu,Caisen Chen,SK Hafizul Islam

DOI: https://doi.org/10.1007/s11277-016-3742-6

IF: 2.017

2016-01-01

Wireless Personal Communications

Abstract:Cloud storage is a new storage mode emerged along with the development of cloud computing paradigm. By migrating the data to cloud storage, the consumers can be liberated from building and maintaining the private storage infrastructure, and they can enjoy the data storage service at anywhere and anytime with high reliability and a relatively low cost. However, the security and privacy risks, especially the confidentiality and integrity of data seem to be the biggest hurdle to the adoption of the cloud storage applications. In this paper, we consider the secure data access and sharing issues for cloud storage services. Based on the intractability of the discrete logarithm problem, we design a secure data access and data sharing scheme for cloud storage, where we utilize the user authentication scheme to deal with the data access problem. According to our analysis, through our scheme, only valid user with the correct password and biometric can access to the cloud storage provider. Besides, the authorized users can access the rightful resources and verify the validity of the shared data, but cannot transfer the permission to any other party. At the same time, the confidentiality and integrity of data can be guaranteed.

Xiaodong Yang,Aijia Chen,Zhisong Wang,Shudong Li

DOI: https://doi.org/10.1155/2022/2204832

IF: 1.968

2022-05-12

Security and Communication Networks

Abstract:Cloud storage is a popular model of the application in various fields, and the security of storage data and access permission have been widely considered. Attribute-based encryption (ABE) provides fine-grained user access control and ensures data confidentiality. However, current ABE access control schemes rely on trusted cloud servers and provide a low level of security. To solve these problems of traditional encryption schemes, we propose a blockchain-based and ABE cloud storage data access control scheme. In this article, blockchain and smart contract technology are the core elements to ensure data integrity and build a decentralized verification method for outsourcing results. This application can minimize the reliance on servers in the cloud environment. Based on the ciphertext-policy ABE algorithm, the proposed scheme supports a hidden access policy to avoid the risk of privacy leakage. In addition, we adopt outsourcing technology and predetected decryption algorithms to reduce the computational overhead of local and outsourced servers. Security analysis and performance evaluation show that our proposed scheme has high computational efficiency and satisfies the condition of indistinguishability under the chosen-ciphertext attacks.

computer science, information systems,telecommunications

Kai Fan,Qiong Tian,Nana Huang,Yue Wang,Hui Li,Yintang Yang

DOI: https://doi.org/10.1109/iccchina.2016.7636861

2016-01-01

Abstract:With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issue. In this paper, we present an access control system with privilege separation based on privacy protection（PS-ACS）. In the PS-ACS scheme, we divide users into private domain（PRD） and public domain（PUD） logically. In PRD, to achieve read access permission and write access permission, we adopt the Key-Aggregate Encryption（KAE） and the Improved Attribute-based Signature（IABS） respectively. In PUD, we construct a new multi-authority ciphertext policy attribute-based encryption（CP-ABE） scheme with efficient decryption to avoid the issues of single point of failure and complicated key distribution, and design an efficient attribute revocation method for it. The analysis and simulation result show that our scheme is feasible and superior to protect users’ privacy in cloud-based services.

Ran Yang,Chuang Lin,Yixin Jiang

DOI: https://doi.org/10.1109/icc.2012.6364473

2012-01-01

Abstract:In cloud computing, the sensitive data are required to be encrypted before being outsourced to the server, which introduce a heavy computation overhead for key derivation and data management when dynamic hierarchical access control is desired. In this paper, we address this challenging problem by delegating the computation intensive task, such as data re-encryption, key distribution and derivation to cloud servers. Only bilinear pairing and random padding are used in our construction. Extensive analysis shows that the proposed scheme achieves scalability and dynamic simultaneously, and is proved to be secure formally.

Kaiping Xue,Weikeng Chen,Wei Li,Jianan Hong,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2018.2809679

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:People endorse the great power of cloud computing, but cannot fully trust the cloud providers to host privacy-sensitive data, due to the absence of user-to-cloud controllability. To ensure confidentiality, data owners outsource encrypted data instead of plaintexts. To share the encrypted files with other users, ciphertext-policy attribute-based encryption (CP-ABE) can be utilized to conduct fine-grained and owner-centric access control. But this does not sufficiently become secure against other attacks. Many previous schemes did not grant the cloud provider the capability to verify whether a downloader can decrypt. Therefore, these files should be available to everyone accessible to the cloud storage. A malicious attacker can download thousands of files to launch economic denial of sustainability (EDoS) attacks, which will largely consume the cloud resource. The payer of the cloud service bears the expense. Besides, the cloud provider serves both as the accountant and the payee of resource consumption fee, lacking the transparency to data owners. These concerns should be resolved in real-world public cloud storage. In this paper, we propose a solution to secure encrypted cloud storages from EDoS attacks and provide resource consumption accountability. It uses CP-ABE schemes in a black-box manner and complies with arbitrary access policy of the CP-ABE. We present two protocols for different settings, followed by performance and security analysis.

Kan Yang,Xiaohua Jia,Kui Ren

DOI: https://doi.org/10.1145/2484313.2484383

2013-01-01

Abstract:A cloud storage service allows data owner to outsource their data to the cloud and through which provide the data access to the users. Because the cloud server and the data owner are not in the same trust domain, the semi-trusted cloud server cannot be relied to enforce the access policy. To address this challenge, traditional methods usually require the data owner to encrypt the data and deliver decryption keys to authorized users. These methods, however, normally involve complicated key management and high overhead on data owner. In this paper, we design an access control framework for cloud storage systems that achieves fine-grained access control based on an adapted Ciphertext-Policy Attribute-based Encryption (CP-ABE) approach. In the proposed scheme, an efficient attribute revocation method is proposed to cope with the dynamic changes of users' access privileges in large-scale systems. The analysis shows that the proposed access control scheme is provably secure in the random oracle model and efficient to be applied into practice.

GU Bolun,XU Zikai,LI Weihai,YU Nenghai

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024055

2024-01-01

Abstract:With the rapid development and application of the Internet, traditional storage resources have been found unable to meet the growing demand for massive data storage. An increasing number of users have attempted to upload their data to third-party cloud servers for unified storage. Efficient deduplication and secure file sharing in the cloud have emerged as critical concerns. Moreover, users have always preferred to customize their passwords for encrypting and decrypting files, only sharing encrypted files when necessary. Based on this preference, a deterministic stepwise encryption algorithm was first designed. It was such that when the keys for the two steps of encryption satisfied a certain relationship, the two steps of encryption could be equivalent to a single encryption process. A novel key-customizable encrypted deduplication scheme with access control for cloud storage was proposed, utilizing the deterministic stepwise encryption algorithm to encrypt files and a ciphertext-policy attribute-based encryption algorithm to encrypt file keys. This scheme not only offered the flexibility to customize encryption and decryption keys for different users with the same files, but also ensured secure file sharing through a dynamic access control mechanism. Moreover, the optional access control component was made compatible with the majority of existing ciphertext-policy attribute-based encryption (CP-ABE) schemes, even allowing for different CP-ABE schemes within different attribute groups. Security analysis results show that the proposed scheme achieves the highest level of security under the current encrypted deduplication paradigm. Experimental and analytical results indicate that it effectively meets the practical needs of cloud service providers and users, and also achieves acceptable efficiency.