Attribute-Based Access Control with Efficient Revocation in Data Outsourcing Systems

IEEE Transactions on Parallel and Distributed Systems (Impact Factor: 1.8). 08/2011; DOI: 10.1109/TPDS.2010.203
Source: IEEE Xplore

ABSTRACT Some of the most challenging issues in data outsourcing scenario are the enforcement of authorization policies and the support of policy updates. Ciphertext-policy attribute-based encryption is a promising cryptographic solution to these issues for enforcing access control policies defined by a data owner on outsourced data. However, the problem of applying the attribute-based encryption in an outsourced architecture introduces several challenges with regard to the attribute and user revocation. In this paper, we propose an access control mechanism using ciphertext-policy attribute-based encryption to enforce access control policies with efficient attribute and user revocation capability. The fine-grained access control can be achieved by dual encryption mechanism which takes advantage of the attribute-based encryption and selective group key distribution in each attribute group. We demonstrate how to apply the proposed mechanism to securely manage the outsourced data. The analysis results indicate that the proposed scheme is efficient and secure in the data outsourcing systems.

1 Bookmark
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Recently, the need for outsourcing sensitive data has grown due to the wide spreading of cost-effective and flexible cloud service. However, there is a fundamental concern in using such service since users have to trust external servers. Therefore, searchable encryption can be a very valuable tool to meet the security requirements of data outsourcing. However, most of work on searchable encryption focus only on privacy preserving search function and relatively lacks research on encryption mechanism used to actually encrypt data. Without a suitable latter mechanism, searchable encryption cannot be deployed in real world cloud services. In this paper, we analyze previously used and possible data encryption mechanisms for multi-user searchable encryption system and discuss their pros and cons. Our results show that readily available tools such as broadcast encryption, attribute-based encryption, and proxy re-encryption do not provide suitable solutions. The main problem with existing tools is that they may require separate fully trusted servers and the difficulty in preventing collusion attacks between outsiders and semi-trusted servers.
    Journal of the Korea Society of Computer and Information. 01/2013; 18(9).
  • [Show abstract] [Hide abstract]
    ABSTRACT: Cloud services are blooming recently. They provide a convenient way for data accessing, sharing, and processing. A key ingredient for successful cloud services is to control data access while considering the specific features of cloud services. The specific features include great quantity of outsourced data, large number of users, honest-but-curious cloud servers, frequently changed user set, dynamic access control policies, and data accessing for light-weight mobile devices. This paper addresses a cryptographic key assignment problem for enforcing a hierarchical access control policy over cloud data. We propose a new hierarchical key assignment scheme CloudHKA that observes the Bell-LaPadula security model and efficiently deals with the user revocation issue practically. We use CloudHKA to encrypt outsourced data so that the data are secure against honest-but-curious cloud servers. CloudHKA possesses almost all advantages of the related schemes, e.g., each user only needs to store one secret key, supporting dynamic user set and access hierarchy, and provably-secure against collusive attacks. In particular, CloudHKA provides the following distinct features that make it more suitable for controlling access of cloud data. (1) A user only needs a constant computation time for each data accessing. (2) The encrypted data are securely updatable so that the user revocation can prevent a revoked user from decrypting newly and previously encrypted data. Notably, the updates can be outsourced by using public information only. (3) CloudHKA is secure against the legal access attack. The attack is launched by an authorized, but malicious, user who pre-downloads the needed information for decrypting data ciphertexts in his authorization period. The user uses the pre-downloaded information for future decryption even after he is revoked. Note that the pre-downloaded information are often a small portion of encrypted data only, e.g. the header-cipher in a hybrid encrypted data ciphertext. (4) Each user can be flexibly authorized the access rights of Write or Read, or both.
    Proceedings of the 11th international conference on Applied Cryptography and Network Security; 06/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper deals with the problem of collaboratively secure document editing in cloud environment. Using cloud document editing service, several users can create and edit a document collaboratively. However, as the cloud service provider is not trusted to guarantee the confidentiality of these documents, existing methods encrypt the documents before uploading them to the cloud. While these approaches can be inefficient for collaborative editing, we propose to organize the content of a document using a Red-Black tree and encrypt each block of data separately, so as to improve the performance of collaborative editing systems. Although creating and maintaining the Red-Black tree introduces extra cost, compared to the whole document encryption strategy the experimental results show that for text editing operations, such as insertion and removal, the use of Red-Black tree algorithm improves efficiency by 31.04% if 3DES encryption is applied and by 23.94% if applying AES encryption.
    Proceedings of the 2012 IEEE 4th International Conference on Cloud Computing Technology and Science (CloudCom); 12/2012