18-10-2016, 03:28 PM
1459692380-BASEPAPER.pdf (Size: 1.17 MB / Downloads: 6)
Abstract—Data access control has becoming a challenging issue in cloud storage systems. Some techniques have been
proposed to achieve the secure data access control in a semitrusted cloud storage system. Recently, K.Yang et al. proposed a
basic data access control scheme for multiauthority cloud storage system (DAC-MACS) and an extensive data access control
scheme (EDAC-MACS). They claimed that the DAC-MACS could achieve efficient decryption and immediate revocation and the
EDAC-MACS could also achieve these goals even though nonrevoked users reveal their Key Update Keys to the revoked user.
However, through our cryptanalysis, the revocation security of both schemes cannot be guaranteed. In this paper, we first give
two attacks on the two schemes. By the first attack, the revoked user can eavesdrop to obtain other users’ Key Update Keys to
update its Secret Key, and then it can obtain proper Token to decrypt any secret information as a nonrevoked user. In addition,
by the second attack, the revoked user can intercept Ciphertext Update Key to retrieve its ability to decrypt any secret
information as a nonrevoked user. Secondly, we propose a new extensive DAC-MACS scheme (NEDAC-MACS) to withstand
the above two attacks so as to guarantee more secure attribute revocation. Then, formal cryptanalysis of NEDAC-MACS is
presented to prove the security goals of the scheme. Finally, the performance comparison among NEDAC-MACS and related
schemes is given to demonstrate that the performance of NEDAC-MACS is superior to that of DACC, and relatively same as
that of DAC-MACS.
INTRODUCTION
LOUD computing extends the existing capabilities of
Information Technology (IT) since cloud adaptively
provides storage and processing services such as SaaS,
IaaS, and PaaS that dynamically increase the capacity and
add capabilities without investing in new infrastructure
or licensing new software [1].
However, the data access control (DAC) issue of cloud
computing systems has been escalated by the surge in
attacks such as collusion, wiretapping and distort, so that
DAC must be designed with sufficient resistance. DAC
issues are mainly related to the security policies provided
to the users accessing the uploaded data, and the techniques
of DAC must specify their own defined security
access policies and the further support of policy updates,
based on which each valid user can have access to some
particular sets of data whereas invalid users are unauthorized
to access the data. One approach to alleviate
attacks is to store the outsourcing data in encrypted form.
However, due to the normally semitrusted cloud and its
arrangement issues of administration rights, cloud-based
access control approaches with traditional encryption are
no longer applicable to cloud storage systems [2].
Sahai and Waters [4] laid a theoretical foundation for
solving above encryption problem by introducing the
new concept of attribute-based encryption (ABE) whose prototype is the identity-based encryption (IBE). The ABE
notion has been the promising cryptographic approach on
which more intensive research is based. V. Goyal et al.
first proposed the key-policy attribute based encryption
for fine-grained access control (KP-ABE) [5]. In KP-ABE,
the data was encrypted by attribute set, and decryption
was possible only when the user’s policy tree matched the
attribute set in the ciphertext. Shortly after KP-ABE, J.
Bethencourt introduced the mechanism of ciphertext policy
attribute-based encryption (CP-ABE) [6], in which the
user received attributes and secret keys from the attribute
authority and was able to decrypt ciphertext only if it
held sufficient attributes that satisfied the access policy
embedded in the ciphertext.
Furthermore, the constructed CP-ABE scheme is
deemed as one of the most appropriate techniques for
data access control in cloud storage systems, since it can
be configured to some DAC schemes which do not require
the data owners to distribute keys and furnish the
data owners with more efficient and attribute-level control
on defined access policies offline. A myriad of data
access control techniques based on CP-ABE (e.g. [2], [3],
[7]-[19]) are proposed to construct the efficient, secure,
fine-grained and attribute-level-revocable access
schemes in a semi-trusted cloud storage system. However,
based on the Dolev-Yao model [30], security goals
such as active attack resistance, data confidentiality,
anti-collusion, and attribute-revocation security of most
solution designs cannot be all perfectly guaranteed
since the capable Dolev-Yao adversaries can overhear,
intercept, replay, and synthesis arbitrary information in
the open communication channels. For example, in context
of attribute revocation in the scenario of K.Yang et al. proposed DAC-MACS and EDAC-MACS [2], due to
the open and non-secure communication channel, the
revoked users, as the Dolev-Yao adversaries, can still
breach the backward revocation when they eavesdrop to
obtain more than two valid users’ Key Update Keys to
update their own Secret Keys, or when they intercept
the Ciphertext Update Key delivered from attribute authority
to cloud. In both scenarios, each revoked user
can retrieve its ability to decrypt any secret information
as a non-revoked user.
1.1 Our Contributions
In this paper, two attacks are first given on the DACMACS’s
and EDAC-MACS’s revocation security which
cannot be guaranteed through our cryptanalysis. Subsequently,
a new extensive DAC-MACS scheme (NEDACMACS)
is proposed to withstand above two attacks so as
to support more secure attribute revocation. The main
contributions of this paper are summarized as follows:
1. In this paper, two attacks are firstly constructed on
the vulnerabilities of revocation security in DACMACS
and EDAC-MACS. By the first attack, the
revoked user can eavesdrop to obtain other users’
Key Update Keys to update its Secret Keys, and
then it can obtain proper Token to decrypt any secret
information as a nonrevoked user as before. In
addition, by the second attack, the revoked user
can intercept the Ciphertext Update Key to retrieve
its ability to decrypt any secret information
as a nonrevoked user as before.
2. Secondly, we propose a new extensive DACMACS
scheme, denoted as the NEDAC-MACS, to
withstand above two attacks and support more secure
attribute revocation. We modify some DACMACS’s
algorithms, and perform the vital ciphertext
update communication between cloud server
and AAs with some more secure algorithms. Our
NEDAC-MACS scheme mainly includes two improvements
on the DAC-MACS at Secret Key Generation
phase and Attribute Revocation phase, and it
can run correctly according to the correctness
proof of NEDAC-MACS.
3. Then, formal cryptanalysis of the NEDAC-MACS
is described to prove that the proposed NEDACMACS
can guarantee collusion resistance, secure
attribute revocation, data confidentiality, and
provable security against static corruption of authorities
based on the random oracle model.
4. Finally, performance analysis of our NEDACMACS
are conducted by making an efficiency
comparison among related CP-ABE schemes to
testify that the NEDAC-MACS is securityenhanced
without reducing more efficiency. The
major overhead of decryption is also securely outsourced
to the cloud servers, and the overall overheads
of storage, communication and computation
of the NEDAC-MACS are superior to that of
DACC and relatively same as that of DAC-MACS.
1.2 Organizations
We first introduce related work in section 2. The system model and framework of DAC-MACS and EDAC-MACS
are briefly reviewed in section 3. Then, two detailed attacks
on the attribute revocation security of the two
schemes are elaborated in section 4. Subsequently, a new
extensive DAC-MACS scheme with enhanced revocation
security is proposed in section 5. Section 6 and 7 present
the formal cryptanalysis and performance simulation of
our NEDAC-MACS scheme, respectively. Finally, the
conclusion is given in Section 8.
2 RELATED WORK
Data Access Control: A plurality of data access control systems
(e.g. [2], [3], [7]-[19]) based on the promising CPABE
technique are proposed to construct the efficient,
secure, fine grained and revocable access schemes. S.Ruj
et al. (2011) proposed a distributed access control scheme
in clouds (DACC) [9] that supported attribute revocation.
In DACC, one or more key distribution centers (KDCs)
distributed keys to data owners and users. Technically, it
requires not only forward security but more indispensable
backward security in context of the attribute revocation.
However, DACC supported attribute revocation
with vulnerable forward security [2].
J.Hur et al. (2011) proposed an attribute-based DAC
scheme [12] with efficient revocation in cloud storage systems,
whereas it was designed only for the cloud systems
with single trusted authority. In addition, the above two
schemes both require data owners to reencrypt the outsourced
ciphertext after revocation.
Liu et al. (2013) presented a secure multi-owner data
sharing scheme called Mona [20]. It is claimed that the
scheme can achieve fine-grained access control and secure
revocation. However, the scheme will easily suffer from
collusion attack by the revoked user and the cloud [21].
Recently, K.Yang et al. proposed a data access control
scheme for multiauthority cloud storage system (DACMACS)
[2] and [3] which both supported more efficient
decryption and secure attribute revocation without reencryption
by the data owners. In reference [2], due to a
strong security assumption in DAC-MACS that the nonrevoked
users will not reveal their key update keys to the
revoked user, the authors further removed the assumption
and proposed the extensive data access control
scheme (EDAC-MACS). In context of secure attribute
revocation, DAC-MACS and EDAC-MACS could both
achieve forward revocation security irrespective of active
attacks. However, the backward revocation security both
in DAC-MACS and EDAC-MACS still cannot be guaranteed
when the revoked user eavesdrops to obtain more
than two users’ Key Update Keys to update its Secret Key,
or when the revoked user intercepts the Ciphertext Update
Key. In both scenarios, the revoked user can retrieve
its ability to decrypt any secret information as a nonrevoked
user just as before.
Efficiency of Outsourcing Decryption: Green et al. [22]
(2011) introduced the notion of outsourcing ABE decryption,
and presented two concrete ABE schemes with outsourced
decryption, which outsourced the main computation
of the decryption and only incurred a small overhead
of plaintext recovery for the user by using a token-based
decryption method. When outsourcing the decryption of
ABE ciphertext, data confidentiality against the curious
but honest cloud servers or an adversary can be guaranteed;
however, most ABE schemes provide no guarantee
on the correctness of the outsourced transformation done
by the cloud servers. Cloud service providers are postulated
to be semi-trusted and may have profit motives to
reduce the computation and return incorrect answers
which are unlikely to be detected by valid users. Recently,
Lai [23] (2013) modified the original model of Green’s
ABE schemes [22] to allow for verifiability of the outsourced
transformations. However, the storage, computation
and communication overheads of the additional redundancy
in scheme [23] all scale linearly with the complexity
of the transmitted ciphertext and cannot be practical
and flexible in more general scenario