09-08-2012, 02:53 PM
Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing
Achieving Secure, Scalable.pdf (Size: 251.71 KB / Downloads: 102)
INTRODUCTION
Cloud computing is a promising computing paradigm which
recently has drawn extensive attention from both academia and
industry. By combining a set of existing and new techniques
from research areas such as Service-Oriented Architectures
(SOA) and virtualization, cloud computing is regarded as such
a computing paradigm in which resources in the computing
infrastructure are provided as services over the Internet. Along
with this new paradigm, various business models are developed,
which can be described by terminology of “X as a
service (XaaS)” [1] where X could be software, hardware,
data storage, and etc. Successful examples are Amazon’s EC2
and S3 [2], Google App Engine [3], and Microsoft Azure [4]
which provide users with scalable resources in the pay-as-youuse
fashion at relatively low prices. For example, Amazon’s S3
data storage service just charges $0.12 to $0.15 per gigabytemonth.
As compared to building their own infrastructures,
users are able to save their investments significantly by migrating
businesses into the cloud. With the increasing development
of cloud computing technologies, it is not hard to imagine that
in the near future more and more businesses will be moved
into the cloud.
MODELS AND ASSUMPTIONS
System Models
Similar to [17], we assume that the system is composed of
the following parties: the Data Owner, many Data Consumers,
many Cloud Servers, and a Third Party Auditor if necessary.
To access data files shared by the data owner, Data Consumers,
or users for brevity, download data files of their interest from
Cloud Servers and then decrypt. Neither the data owner nor
users will be always online. They come online just on the
necessity basis. For simplicity, we assume that the only access
privilege for users is data file reading. Extending our proposed
scheme to support data file writing is trivial by asking the data
writer to sign the new data file on each update as [12] does.
From now on, we will also call data files by files for brevity.
Cloud Servers are always online and operated by the Cloud
Service Provider (CSP). They are assumed to have abundant
storage capacity and computation power. The Third Party
Auditor is also an online party which is used for auditing every
file access event. In addition, we also assume that the data
owner can not only store data files but also run his own code
on Cloud Servers to manage his data files. This assumption
coincides with the unified ontology of cloud computing which
is recently proposed by Youseff et al. [18].
OUR PROPOSED SCHEME
Main Idea
In order to achieve secure, scalable and fine-grained access
control on outsourced data in the cloud, we utilize and
uniquely combine the following three advanced cryptograhphic
techniques: KP-ABE, PRE and lazy re-encryption. More
specifically, we associate each data file with a set of attributes,
and assign each user an expressive access structure which is
defined over these attributes. To enforce this kind of access
control, we utilize KP-ABE to escort data encryption keys of
data files. Such a construction enables us to immediately enjoy
fine-grainedness of access control. However, this construction,
if deployed alone, would introduce heavy computation
overhead and cumbersome online burden towards the data
owner, as he is in charge of all the operations of data/user
management. Specifically, such an issue is mainly caused by
the operation of user revocation, which inevitabily requires
the data owner to re-encrypt all the data files accessible to
the leaving user, or even needs the data owner to stay online
to update secret keys for users.
CONCLUSION
This paper aims at fine-grained data access control in cloud
computing. One challenge in this context is to achieve finegrainedness,
data confidentiality, and scalability simultaneously,
which is not provided by current work. In this paper
we propose a scheme to achieve this goal by exploiting KPABE
and uniquely combining it with techniques of proxy
re-encryption and lazy re-encryption. Moreover, our proposed
scheme can enable the data owner to delegate most of computation
overhead to powerful cloud servers. Confidentiality
of user access privilege and user secret key accountability can
be achieved. Formal security proofs show that our proposed
scheme is secure under standard cryptographic models.