Article

Advancements in Securing Cloud-Stored Data and Managing Sensitive Information: A Comprehensive Review of Ciphertext-Policy Attribute-Based Encryption (CP-ABE) Techniques

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

The exploring comprehensive review of cutting-edge techniques for securing cloud-stored data and managing sensitive information in the context of smart cities through the application of Ciphertext-Policy Attribute-Based Encryption (CP-ABE). It highlights the innovative integration of blockchain technology with CP-ABE, which introduces a decentralized and tamper- resistant key management system, thereby enhancing the overall security framework in cloud environments where data sharing is prevalent. Introducing an online/offline multi-authority CP- ABE scheme, characterized by hidden policies, offers significant advancements in protecting user attributes and access structures, ensuring that sensitive information remains confidential even during encryption and decryption processes. This dual approach not only fortifies security but also optimizes the efficiency of data- sharing mechanisms. Furthermore, the paper delves into imple- menting hidden sensitive policies and keyword search techniques within smart city infrastructures, which are designed to facilitate secure and efficient data retrieval. These techniques ensure that while data remains accessible to authorized users, privacy is rigorously maintained. Collectively, these approaches represent significant strides in bolstering the security and confidentiality of data in both cloud-based and smart city applications, addressing the growing demand for robust and efficient data management solutions in increasingly interconnected environments. Index Terms—Ciphertext-Policy Attribute-Based Encryption (CP-ABE), Blockchain, Key Management, Decentralized Secu- rity, Cloud-Stored Data, Yolo V7, Explainable AI (XAI), On- line/Offline Multi-Authority Scheme, Hidden policies, Privacy Preservation, Data Protection, Secure Data Management

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
Malware threats have been increasing very rapidly in today’s world. Since everyone uses the internet in the modern world, users are more vulnerable to cyberattacks. Traditional methods are not capable of finding the malware accurately so this research focuses on building an effective solution using Machine Learning to detect malicious software and interpret the model using Explainable AI to understand why a certain decision was made by the ML classifier. The dataset is preprocessed in several steps which include Min-Max Scalar for Feature Scaling, Minimum Redundancy Maximum Relevancy (MRMR) for Feature Selection, and Principal Component Analysis (PCA) for Dimensionality Reduction. Then, the algorithms are trained using multiple machine learning algorithms such as Naive Bayes, AdaBoost, Logistic Regression, Decision Tree, Random Forest, Long Short-Term Memory (LSTM) and XGBoost. Among all the classifiers, we achieved the highest accuracy of 99.825% with XGBoost. Additionally, for model interpretability, we have used Explainable AI methods such as LIME and SHAP, to understand which feature was responsible for the instance being Malware or Benign.
Article
Full-text available
The exponential growth of intrusions on networked systems inspires new research directions on developing artificial intelligence (AI) techniques for intrusion detection systems (IDS). In particular, the need to understand and explain these AI models to security analysts (managing these IDS to safeguard their networks) motivates the usage of explainable AI (XAI) methods in real-world IDS. In this work, we propose an end-to-end framework to evaluate black-box XAI methods for network IDS. We evaluate both global and local scopes for these black-box XAI methods for network intrusion detection. We analyze six different evaluation metrics for two popular black-box XAI techniques, namely SHAP and LIME. These metrics are descriptive accuracy, sparsity, stability, efficiency, robustness, and completeness. They cover main metrics from network security and AI domains. We evaluate our XAI evaluation framework using three popular network intrusion datasets and seven AI methods with different characteristics. We release our codes for the network security community to access it as a baseline XAI framework for network IDS. Our framework shows the limitations and strengths of current black-box XAI methods when applied to network IDS.
Conference Paper
Full-text available
Artificial Intelligence used in future networks is vulnerable to biases, misclassifications, and security threats, which seeds constant scrutiny in accountability. Explainable AI (XAI) methods bridge this gap in identifying unaccounted biases in black-box AI/ML models. However, scaffolding attacks would hide the internal biases of the model from XAI methods, jeopardizing any auditory or monitoring processes, service provisions , security systems, regulators, auditors, and end-users in future networking paradigms, including Intent-Based Networking (IBN). For the first time ever, we formalize and demonstrate a framework on how an attacker would adopt scaffoldings to deceive the security operators in Network Intrusion Detection Systems (NIDS). Furthermore, we propose a detection method that auditors can use to detect the attack efficiently. We rigorously test the attack and detection methods using the NSL-KDD. We then simulate the attack on 5G network data. Our simulation illustrates that the attack adoption method is successful, and the detection method can identify an affected model with extremely high confidence.
Conference Paper
Full-text available
As problems like climate change, greenhouse emissions, etc. become common, Electric Vehicles (EVs) are now being looked at as an alternative. In order for EVs to succeed, numerous charging networks must be established in a user-friendly environment and the optimum charging solution must be selected. Wireless Power Transfer (WPT) System is an option that simplifies the battery charging process for EVs as it eliminates the need for annoying cables and ensures the user's safety. Inductive power transfer is currently the most popular and mature WPT technology, which uses magnetic fields for power transfer. In order to comply with transmission and safety criteria, Foreign Object Detection (FOD) is an essential module that has to be taken care of. Deep Learning (DL) has been successfully applied to various applications by using algorithms such as CNNs, You Only Look Once (YOLO), etc. In this work, a unique approach has been taken toward FOD by using DL, particularly the YOLO v7 algorithm. The pre-trained YOLO v7 algorithm has been further customized to detect (a) coins (b) screws and (c) paper clips as part of FOD and towards the end, Mean Average Precision of 97%, 93.1% precision, and 95.3% recall values have been achieved.
Article
Full-text available
The continuous development of cloud storage service technology, secure access control, and privacy issues have attracted more and more attention. The previous ciphertext policy attribute-based encryption (CP-ABE) schemes with the function of hidden policy are only suitable for a single authority, and the existing multiauthority CP-ABE schemes do not realize the hidden policy. In addition, a large number of schemes utilize AND gate access policies so that expressiveness is weak. In this article, a scheme of online/offline multiauthority CP-ABE supporting the policy hiding function is proposed. The proposed scheme uses a combination of multiple attribute authorities (AAs) and one central authority (CA). Each AA, respectively, controls different attribute sets and distributes attribute private keys to users. Moreover, the AA can also relieve the computation overhead of the CA. In order to enhance the expressiveness than that of the existing schemes, we adopt the access policy of the linear secret sharing scheme. In the previous schemes, the access policy is used as the ciphertext component and uploaded directly to the cloud server. Especially, in the scenario of medical cloud data sharing, access policy may contain sensitive information. Therefore, the proposed scheme preserves privacy information by realizing the technology of the hidden policy. To improve the performance, our scheme utilizes the online/offline encryption to achieve a low computation cost in the online phase. Additionally, we also proved that the proposed scheme is secure based on the standard model.
Article
Full-text available
With the rapid development of cloud computing, a large number of web services have been emerging quickly, which brings a heavy burden for users to choose the services they preferred. In order to suggest web services for users, recommendation algorithms are needed and many of them have been investigated recently. However, most of the existing recommendation schemes are based on centralized historical data, which may lead to single point of failure. Generally, the data contains a lot of sensitive information that cloud may expose the privacy of users, which makes most cloud platforms reluctant to share their own data. In order to solve the above issues, the secure data sharing among cloud platforms is necessary for better recommendation, which can maximize the profits. In this paper, we propose a blockchain-assisted collaborative service recommendation scheme ( BCSRDSBC - SRDS ). Specifically, we adopt the ciphertext-policy attribute-based encryption (CP-ABE) algorithm to encrypt the data, which ensures the data confidentiality and realizes secure data sharing. Then, we utilize the blockchain to share data, such that the DoS attack, DDoS attack and single point of failure can be avoided. Meanwhile, the data integrity, tampering-proof of data are guaranteed through the blockchain. And we use locality-sensitive hashing algorithm to recommend the services for users. Finally, it is proved through the security analysis that BCSRDSBC - SRDS is capable of achieving data confidentiality, data integrity and tampering-proof. A series of experiments show that BCSRDSBC - SRDS achieves better recommendation accuracy compared with the existing schemes.
Article
Full-text available
Countless data generated in Smart city may contain private and sensitive information and should be protected from unauthorized users. The data can be encrypted by Attribute-based encryption (CP-ABE), which allows encrypter to specify access policies in the ciphertext. But, traditional CP-ABE schemes are limited because of two shortages: the access policy is public i.e., privacy exposed; the decryption time is linear with the complexity of policy, i.e., huge computational overheads. In this work, we introduce a novel method to protect the privacy of CP-ABE scheme by keyword search (KS) techniques. In detail, we define a new security model called chosen sensitive policy security : two access policies embedded in the ciphertext, one is public and the other is sensitive and hidden. If user's attributes don't satisfy the public policy, he/she cannot get any information (attribute name and its values) of the hidden one. Previous CP-ABE schemes with hidden policy only work on the “AND-gate” access structure or their ciphertext size or decryption time maybe super-polynomial. Our scheme is more expressive and compact. Since, IoT devices spread all over the smart city, so the computational overhead of encryption and decryption can be shifted to third parties. Therefore, our scheme is more applicable to resource-constrained users. We prove our scheme to be selective secure under the decisional bilinear Diffie-Hellman (DBDH) assumption.
Article
Full-text available
The health care ecosystem involves various interconnected stakeholders with different, and sometimes conflicting security and privacy needs. Sharing medical data, sometimes generated by remote medical devices, is a challenging task. Although several solutions exist in the literature covering functional requirements such as interoperability and scalability, as well as security & privacy requirements such as fine-grained access control and data privacy, balancing between them is not a trivial task as off-the-shelf solutions do not exist. On one hand, centralized cloud architectures provide scalability and interoperable access, but make strong trust assumptions. On the other, decentralized blockchain based solutions favor data privacy and independent trust management, but typically do not support dynamic changes of the underlying trust domains. To cover this gap, in this paper, we present a novel hierarchical multi expressive blockchain architecture. At the top layer, a proxy blockchain enables independently managed trust authorities to interoperate. End-users from different health care domains, such as hospitals or device manufacturers are able to access and securely exchange medical data, provided that a commonly agreed domain-wise access policy is enforced. At the bottom layer, one or more domain blockchains allow each domain (e.g. a hospital or device manufacturer) to enforce their policy and allow fine-grained access control with attribute-based encryption. This architecture is designed to provide the autonomous management of trusted medical data/devices and the transactions of mutually untrusted stakeholders, as well as an inherent forensics mechanism tailored for granular auditing. Smart contracts are used to enforce decentralized policies. Ciphertext-policy attribute based encryption (CP-ABE) is used to distribute the decryption process among end users and the system, as well as support an efficient credential revocation mechanism. We demonstrate the efficiency of the proposed architecture through a proof of concept implementation. Finally we analyse the major security and performance characteristics.
Article
Full-text available
With the rapid development of the Internet of Things (IoT) and the dramatic increase of IoT devices, the desire to outsource huge amounts of IoT data to the cloud becomes more urgent than ever. In order to ensure the confidentiality, IoT data are usually encrypted before they are outsourced to the cloud, which will inevitably hinder the statistical analysis of them. Homomorphic encryption is an alternative to achieve the computation of encrypted data, but its inefficiency makes it not practical in the IoT environment. Another problem comes with the encryption is how to enable IoT data to be accessed by users who possess a certain set of attributes defined by data owners. In this paper, we propose a novel and practical IoT data outsourcing scheme based on Corrigan-Gibbs et al. ’s computation of aggregate statistics and the ciphertext-policy attribute-based encryption (CP-ABE). It supports both secure aggregation and fine-grained access control of outsourced IoT data. Users only have to bear a small amount of computation in the process of data upload and recovery. Security analysis demonstrates that our scheme well protects the confidentiality of IoT data. A thorough and detailed performance comparison shows that our scheme enjoys a better performance on both the client side and the fog server side.
Article
Full-text available
Accurate and complete educational records are a valuable asset for people. In recent years, educational records have been digitized. However, there are still two key challenges that have not been resolved. One is to achieve secure and privacy-preserving storage of educational records, while another concern how to realize the sharing of educational records and ensure the security of the sharing process. In this paper, we propose EduRSS, a blockchain-based storage and sharing scheme for educational records is proposed, which combines blockchain, storage servers, and cryptography techniques to create a reliable and safe environment. In our proposal, the blockchain technology is used to ensure the security and reliability of data storage, while the smart contracts on the blockchain are used to regulate the process of storage and sharing. More precisely, the off-chain storage servers store the original educational records in encrypted form, while the hash information of the records is stored on the blockchain. The off-chain records are anchored periodically with the hash information on the blockchain to ensure the security of data storage. Cryptography techniques are utilized to handle records encryption and messages digital signature. To assess the effectiveness of EduRSS, we designed and tested a proof of concept of this scheme. The relative security analysis shows that EduRSS is safe and has a lower computational cost than that of the CP-ABE and the MA-CPABE schemes.
Article
Full-text available
In a data sharing system, it is a basic requirement for user who has an appropriate privilege to perform keyword retrieval for encrypted documents stored in the cloud. Although traditional searchable encryption technology can provide data protection and retrieval characteristic, there are some main issues should also be considered. Firstly, most of the existing attribute-based searchable encryption schemes only support single-keyword search, which may return abundant irrelevant search results, resulting in a waste of computational and broadband resources. Secondly, the user often need to seek some data related to some particular keywords but his attributes maybe altered frequently. Thirdly, the cloud server is not completely loyal who sometimes returns a fraction of erroneous search results. Focus on these issues, a practical multi-keyword searchable encryption scheme is proposed for data integrity verification and attribute revocation by combining the ciphertext policy attribute-based encryption (CP-ABE) and auditing ideas. The scheme one hand supports multi-keyword search which avoids the cloud server yield ample irrelevant documents by narrowing the search scope, and the other hand can implement effectively attribute revocation by entrusting ciphertext updates to powerful cloud server, thereby preventing access by illegal users. Furthermore, third-party audits use verification algorithms to ensure the correctness of search results and reduce the amount of computing by end users. The most critically, the scheme proved to be resistant to selective plaintext attacks and proved to be resistant to selective keyword attacks under the general group model. The extensive experiments result demonstrate that the scheme is more expressive, efficient and feasible in practical applications.
Article
Full-text available
Within the literature, we have witnessed in the healthcare sector, the growing demand for and adoption of software development in the cloud environment to cope with and fulfill current and future demands in healthcare services. In this paper, we propose a flexible, secure, cost effective, and privacy-preserved cloud-based framework for the healthcare environment. We propose a secure and efficient framework for the government EHR system, in which fine-grained access control can be afforded based on multi-authority ciphertext attribute-based encryption (CP-ABE), together with a hierarchical structure, to enforce access control policies. The proposed framework will allow decision makers in the Kingdom of Saudi Arabia to develop the healthcare sector and to benefit from the existing e-government cloud computing platform“Yasser,” which is responsible for delivering shared services through a highly efficient, reliable, and safe environment. This framework aims to provide health services and facilities from the government to citizens (G2C). Furthermore, multifactor applicant authentication has been identified and proofed in cooperation with two trusted authorities. Security analysis and comparisons with the related frameworks have been conducted.
Article
Full-text available
Public key encryption supporting equality test (referred to as PKE-ET) provides the capability of testing the equivalence between two messages encrypted under different public keys. Ciphertext-Policy Attribute-based encryption (CP-ABE) is a promising primitive to achieve versatile and secure data sharing in the cloud computing by providing flexible one-to-many encryption. In this paper, we firstly initialize the concept of CP-ABE with equality test (CP-ABE-ET) by combining the notions of PKE-ET and CP-ABE. Using ABE-ET primitive, the receiver can delegate a cloud server to perform an equivalence test between two messages, which are encrypted under different access policies. During the delegated equivalence test, the cloud server is unable to obtain any knowledge of the message encrypted under either access policy. We propose a concrete CP-ABE-ET scheme using bilinear pairing and Viète’s formulas, and give the security proof of the proposed scheme formally in the standard model. Moreover, the theoretic analysis and experimental simulation reveal that the proposed scheme is efficient and practical.
Conference Paper
The domain of Internet-of-Things (IoT) has experienced notable progress to enhance people's lives by aggregating the collection of diverse range of network-enabled devices around them with safety and security. Intrusion Detection and Prevention System are crucial for ensuring the security of IoT devices. There are several techniques that have been proposed to determine IoT attack detection. These techniques normally show excellent performance, but it is difficult to explain their predictions due to their complex and opaque nature. Thus, it is necessary to understand the reasons behind the prediction to make people trust the model by providing transparency and reliable in decision-making processes based on data. This paper proposes an Explainable AI (XAI) based approach for network intrusion prediction in IoT, providing transparent and trustworthy decision-making. The model's performance is evaluated and the contribution and impact of each feature on the established model for detecting IoT attacks. The results indicate that XAI is very promising for the conservation between XAI systems and cyber security professionals to information-based explanation, instance-based clarification, and evidence-based decisions.
Article
Public clouds have drawn increasing attention from academia and industry due to their high computational and storage performance. Attribute-based encryption (ABE) is the most promising technology to simultaneously achieve confidentiality and fine-grained access control of the cloud-stored data. However, traditional ABE that relies on centralized authority faces several key management issues, such as the key escrow, key distribution, key tracking, key update, and heavy communication and computing overhead for users, which will cause security concerns and impede its widespread application. On the other hand, blockchain technology preserves distributed ledgers to ensure the immutability and transparency of data, which can further solve the security vulnerabilities caused by system centralization. This paper proposes a blockchain-assisted transformation method to solve all the key management problems mentioned above in ciphertext-policy ABE by utilizing technologies such as secret sharing protocols. In addition, our transformation method realizes two additional benefits: outsourced decryption and efficient user revocation, which are extremely valuable for practical implementations. We simulate a demonstration by adopting the most popular permissioned blockchain, Hyperledger Fabric. The security and efficiency analysis reveals that the scheme obtained from our transformation method can achieve replayable chosen-ciphertext security with extremely efficient decryption.
Conference Paper
Industry 4.0 connectivity requires ensuring end-to-end (E2E) security for industrial data. This requirement is critical when retrieving data from the OT network. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) guarantees E2E security by encrypting data according to a policy and generating user keys according to attributes. To use this encryption scheme in manufacturing environments, policies must be updatable. This paper proposes a Multi-Layered Policy Key Encapsulation Method for CP-ABE that allows flexible policy update and revocation without modifying the original CP-ABE scheme.
  • E Haque
  • K Hasan
  • I Ahmed
  • M S Alam
  • T Islam
Haque, E., Hasan, K., Ahmed, I., Alam, M. S., & Islam, T. (2024). Enhancing UAV Security Through Zero Trust Architecture: An Advanced Deep Learning and Explainable AI Analysis. arXiv preprint arXiv:2403.17093.