11-10-2016, 02:45 PM
[attachment=72858]
Abstract—Cloud computing is an emerging computing
paradigm in which resources of the computing infrastructure
are provided as services over the Internet. As promising as it is,
this paradigm also brings forth many new challenges for data
security and access control when users outsource sensitive data
for sharing on cloud servers, which are not within the same
trusted domain as data owners. To keep sensitive user data
confidential against untrusted servers, existing solutions usually
apply cryptographic methods by disclosing data decryption keys
only to authorized users. However, in doing so, these solutions
inevitably introduce a heavy computation overhead on the data
owner for key distribution and data management when finegrained
data access control is desired, and thus do not scale
well. The problem of simultaneously achieving fine-grainedness,
scalability, and data confidentiality of access control actually still
remains unresolved. This paper addresses this challenging open
issue by, on one hand, defining and enforcing access policies based
on data attributes, and, on the other hand, allowing the data
owner to delegate most of the computation tasks involved in finegrained
data access control to untrusted cloud servers without
disclosing the underlying data contents. We achieve this goal by
exploiting and uniquely combining techniques of attribute-based
encryption (ABE), proxy re-encryption, and lazy re-encryption.
Our proposed scheme also has salient properties of user access
privilege confidentiality and user secret key accountability. Extensive
analysis shows that our proposed scheme is highly efficient
and provably secure under existing security models.
I. INTRODUCTION
Cloud computing is a promising computing paradigm which
recently has drawn extensive attention from both academia and
industry. By combining a set of existing and new techniques
from research areas such as Service-Oriented Architectures
(SOA) and virtualization, cloud computing is regarded as such
a computing paradigm in which resources in the computing
infrastructure are provided as services over the Internet. Along
with this new paradigm, various business models are developed,
which can be described by terminology of “X as a
service (XaaS)” [1] where X could be software, hardware,
data storage, and etc. Successful examples are Amazon’s EC2
and S3 [2], Google App Engine [3], and Microsoft Azure [4]
which provide users with scalable resources in the pay-as-youuse
fashion at relatively low prices. For example, Amazon’s S3
data storage service just charges $0.12 to $0.15 per gigabytemonth.
As compared to building their own infrastructures,
users are able to save their investments significantly by migrating
businesses into the cloud. With the increasing development
of cloud computing technologies, it is not hard to imagine that
in the near future more and more businesses will be moved
into the cloud.
As promising as it is, cloud computing is also facing many
challenges that, if not well resolved, may impede its fast
growth. Data security, as it exists in many other applications,
is among these challenges that would raise great concerns
from users when they store sensitive information on cloud
servers. These concerns originate from the fact that cloud
servers are usually operated by commercial providers which
are very likely to be outside of the trusted domain of the users.
Data confidential against cloud servers is hence frequently
desired when users outsource data for storage in the cloud. In
some practical application systems, data confidentiality is not
only a security/privacy issue, but also of juristic concerns. For
example, in healthcare application scenarios use and disclosure
of protected health information (PHI) should meet the requirements
of Health Insurance Portability and Accountability Act
(HIPAA) [5], and keeping user data confidential against the
storage servers is not just an option, but a requirement.
Furthermore, we observe that there are also cases in which
cloud users themselves are content providers. They publish
data on cloud servers for sharing and need fine-grained data
access control in terms of which user (data consumer) has the
access privilege to which types of data. In the healthcare case,
for example, a medical center would be the data owner who
stores millions of healthcare records in the cloud. It would
allow data consumers such as doctors, patients, researchers
and etc, to access various types of healthcare records under
policies admitted by HIPAA. To enforce these access policies,
the data owners on one hand would like to take advantage of
the abundant resources that the cloud provides for efficiency
and economy; on the other hand, they may want to keep the
data contents confidential against cloud servers.
As a significant research area for system protection, data
access control has been evolving in the past thirty years and
various techniques [6]–[9] have been developed to effectively
implement fine-grained access control, which allows flexibility
in specifying differential access rights of individual users. Traditional
access control architectures usually assume the data
owner and the servers storing the data are in the same trusted
domain, where the servers are fully entrusted as an omniscient
reference monitor [10] responsible for defining and enforcing
access control policies. This assumption however no longer
holds in cloud computing since the data owner and cloud
servers are very likely to be in two different domains. On one
hand, cloud servers are not entitled to access the outsourced
data content for data confidentiality; on the other hand, the
data resources are not physically under the full control of the owner. For the purpose of helping the data owner enjoy
fine-grained access control of data stored on untrusted cloud
servers, a feasible solution would be encrypting data through
certain cryptographic primitive(s), and disclosing decryption
keys only to authorized users. Unauthorized users, including
cloud servers, are not able to decrypt since they do not have
the data decryption keys. This general method actually has
been widely adopted by existing works [11]–[14] which aim
at securing data storage on untrusted servers. One critical issue
with this branch of approaches is how to achieve the desired
security goals without introducing a high complexity on key
management and data encryption. These existing works, as
we will discuss in section V-C, resolve this issue either by
introducing a per file access control list (ACL) for fine-grained
access control, or by categorizing files into several f ilegroups
for efficiency. As the system scales, however, the complexity
of the ACL-based scheme would be proportional to the number
of users in the system. The f ilegroup-based scheme, on
the other hand, is just able to provide coarse-grained data
access control. It actually still remains open to simultaneously
achieve the goals of fine-grainedness, scalability, and data
confidentiality for data access control in cloud computing.
In this paper, we address this open issue and propose a
secure and scalable fine-grained data access control scheme
for cloud computing. Our proposed scheme is partially based
on our observation that, in practical application scenarios each
data file can be associated with a set of attributes which are
meaningful in the context of interest. The access structure of
each user can thus be defined as a unique logical expression
over these attributes to reflect the scope of data files that
the user is allowed to access. As the logical expression can
represent any desired data file set, fine-grainedness of data
access control is achieved. To enforce these access structures,
we define a public key component for each attribute. Data files
are encrypted using public key components corresponding to
their attributes. User secret keys are defined to reflect their
access structures so that a user is able to decrypt a ciphertext
if and only if the data file attributes satisfy his access structure.
Such a design also brings about the efficiency benefit, as
compared to previous works, in that, 1) the complexity of
encryption is just related the number of attributes associated
to the data file, and is independent to the number of users
in the system; and 2) data file creation/deletion and new user
grant operations just affect current file/user without involving
system-wide data file update or re-keying. One extremely
challenging issue with this design is the implementation of
user revocation, which would inevitably require re-encryption
of data files accessible to the leaving user, and may need
update of secret keys for all the remaining users. If all these
tasks are performed by the data owner himself/herself, it would
introduce a heavy computation overhead on him/her and may
also require the data owner to be always online. To resolve
this challenging issue, our proposed scheme enables the data
owner to delegate tasks of data file re-encryption and user
secret key update to cloud servers without disclosing data
contents or user access privilege information. We achieve our
design goals by exploiting a novel cryptographic primitive,
namely key policy attribute-based encryption (KP-ABE) [15], and uniquely combine it with the technique of proxy reencryption
(PRE) [16] and lazy re-encryption [11].
Main contributions of this paper can be summarized as
follows. 1) To the best of our knowledge, this paper is the first
that simultaneously achieves fine-grainedness, scalability and
data confidentiality for data access control in cloud computing;
2) Our proposed scheme enables the data owner to delegate
most of computation intensive tasks to cloud servers without
disclosing data contents or user access privilege information;
3) The proposed scheme is provably secure under the standard
security model. In addition, our proposed scheme is able to
support user accountability with minor extension.
The rest of this paper is organized as follows. Section II
discusses models and assumptions. Section III reviews some
technique preliminaries pertaining to our construction. Section
IV presents our construction. In section V, we analyze our
proposed scheme in terms of its security and performance.
We conclude this paper in Section VI.
II. MODELS AND ASSUMPTIONS
A. System Models
Similar to [17], we assume that the system is composed of
the following parties: the Data Owner, many Data Consumers,
many Cloud Servers, and a Third Party Auditor if necessary.
To access data files shared by the data owner, Data Consumers,
or users for brevity, download data files of their interest from
Cloud Servers and then decrypt. Neither the data owner nor
users will be always online. They come online just on the
necessity basis. For simplicity, we assume that the only access
privilege for users is data file reading. Extending our proposed
scheme to support data file writing is trivial by asking the data
writer to sign the new data file on each update as [12] does.
From now on, we will also call data files by files for brevity.
Cloud Servers are always online and operated by the Cloud
Service Provider (CSP). They are assumed to have abundant
storage capacity and computation power. The Third Party
Auditor is also an online party which is used for auditing every
file access event. In addition, we also assume that the data
owner can not only store data files but also run his own code
on Cloud Servers to manage his data files. This assumption
coincides with the unified ontology of cloud computing which
is recently proposed by Youseff et al. [18].
B. Security Models
In this work, we just consider Honest but Curious Cloud
Servers as [14] does. That is to say, Cloud Servers will follow
our proposed protocol in general, but try to find out as much
secret information as possible based on their inputs. More
specifically, we assume Cloud Servers are more interested
in file contents and user access privilege information than
other secret information. Cloud Servers might collude with a
small number of malicious users for the purpose of harvesting
file contents when it is highly beneficial. Communication
channel between the data owner/users and Cloud Servers are
assumed to be secured under existing security protocols such
as SSL. Users would try to access files either within or outside
the scope of their access privileges. To achieve this goal, unauthorized users may work independently or cooperatively.
In addition, each party is preloaded with a public/private key
pair and the public key can be easily obtained by other parties
when necessary.
C. Design Goals
Our main design goal is to help the data owner achieve
fine-grained access control on files stored by Cloud Servers.
Specifically, we want to enable the data owner to enforce a
unique access structure on each user, which precisely designates
the set of files that the user is allowed to access.
We also want to prevent Cloud Servers from being able to
learn both the data file contents and user access privilege
information. In addition, the proposed scheme should be able
to achieve security goals like user accountability and support
basic operations such as user grant/revocation as a general
one-to-many communication system would require. All these
design goals should be achieved efficiently in the sense that
the system is scalable.
III. TECHNIQUE PRELIMINARIES
A. Key Policy Attribute-Based Encryption (KP-ABE)
KP-ABE [15] is a public key cryptography primitive for
one-to-many communications. In KP-ABE, data are associated
with attributes for each of which a public key component is
defined. The encryptor associates the set of attributes to the
message by encrypting it with the corresponding public key
components. Each user is assigned an access structure which
is usually defined as an access tree over data attributes, i.e.,
interior nodes of the access tree are threshold gates and leaf
nodes are associated with attributes. User secret key is defined
to reflect the access structure so that the user is able to decrypt
a ciphertext if and only if the data attributes satisfy his access
structure. A KP-ABE scheme is composed of four algorithms
which can be defined as follows:
Setup This algorithm takes as input a security parameter κ
and the attribute universe U = {1, 2,...,N} of cardinality
N. It defines a bilinear group G1 of prime order p with a
generator g, a bilinear map e : G1 × G1 → G2 which has the
properties of bilinearity, computability, and non-degeneracy.
It returns the public key PK as well as a system master key
MK as follows
PK = (Y,T1, T2,...,TN )
MK = (y, t1, t2,...,tN )
where Ti ∈ G1 and ti ∈ Zp are for attribute i, 1 ≤ i ≤ N, and
Y ∈ G2 is another public key component. We have Ti = gti
and Y = e(g, g)y, y ∈ Zp. While PK is publicly known to
all the parties in the system, MK is kept as a secret by the
authority party.
Encryption This algorithm takes a message M, the public key
PK, and a set of attributes I as input. It outputs the ciphertext
E with the following format:
E = (I, E, ˜ {Ei}i∈I )
where E˜ = MY s, Ei = Ts
i , and s is randomly chosen from
Zp.
CONCLUSION
This paper aims at fine-grained data access control in cloud
computing. One challenge in this context is to achieve fine grainedness, data confidentiality, and scalability simultaneously,
which is not provided by current work. In this paper
we propose a scheme to achieve this goal by exploiting KPABE
and uniquely combining it with techniques of proxy
re-encryption and lazy re-encryption. Moreover, our proposed
scheme can enable the data owner to delegate most of computation
overhead to powerful cloud servers. Confidentiality
of user access privilege and user secret key accountability can
be achieved. Formal security proofs show that our proposed
scheme is secure under standard cryptographic models.
Abstract—Cloud computing is an emerging computing
paradigm in which resources of the computing infrastructure
are provided as services over the Internet. As promising as it is,
this paradigm also brings forth many new challenges for data
security and access control when users outsource sensitive data
for sharing on cloud servers, which are not within the same
trusted domain as data owners. To keep sensitive user data
confidential against untrusted servers, existing solutions usually
apply cryptographic methods by disclosing data decryption keys
only to authorized users. However, in doing so, these solutions
inevitably introduce a heavy computation overhead on the data
owner for key distribution and data management when finegrained
data access control is desired, and thus do not scale
well. The problem of simultaneously achieving fine-grainedness,
scalability, and data confidentiality of access control actually still
remains unresolved. This paper addresses this challenging open
issue by, on one hand, defining and enforcing access policies based
on data attributes, and, on the other hand, allowing the data
owner to delegate most of the computation tasks involved in finegrained
data access control to untrusted cloud servers without
disclosing the underlying data contents. We achieve this goal by
exploiting and uniquely combining techniques of attribute-based
encryption (ABE), proxy re-encryption, and lazy re-encryption.
Our proposed scheme also has salient properties of user access
privilege confidentiality and user secret key accountability. Extensive
analysis shows that our proposed scheme is highly efficient
and provably secure under existing security models.
I. INTRODUCTION
Cloud computing is a promising computing paradigm which
recently has drawn extensive attention from both academia and
industry. By combining a set of existing and new techniques
from research areas such as Service-Oriented Architectures
(SOA) and virtualization, cloud computing is regarded as such
a computing paradigm in which resources in the computing
infrastructure are provided as services over the Internet. Along
with this new paradigm, various business models are developed,
which can be described by terminology of “X as a
service (XaaS)” [1] where X could be software, hardware,
data storage, and etc. Successful examples are Amazon’s EC2
and S3 [2], Google App Engine [3], and Microsoft Azure [4]
which provide users with scalable resources in the pay-as-youuse
fashion at relatively low prices. For example, Amazon’s S3
data storage service just charges $0.12 to $0.15 per gigabytemonth.
As compared to building their own infrastructures,
users are able to save their investments significantly by migrating
businesses into the cloud. With the increasing development
of cloud computing technologies, it is not hard to imagine that
in the near future more and more businesses will be moved
into the cloud.
As promising as it is, cloud computing is also facing many
challenges that, if not well resolved, may impede its fast
growth. Data security, as it exists in many other applications,
is among these challenges that would raise great concerns
from users when they store sensitive information on cloud
servers. These concerns originate from the fact that cloud
servers are usually operated by commercial providers which
are very likely to be outside of the trusted domain of the users.
Data confidential against cloud servers is hence frequently
desired when users outsource data for storage in the cloud. In
some practical application systems, data confidentiality is not
only a security/privacy issue, but also of juristic concerns. For
example, in healthcare application scenarios use and disclosure
of protected health information (PHI) should meet the requirements
of Health Insurance Portability and Accountability Act
(HIPAA) [5], and keeping user data confidential against the
storage servers is not just an option, but a requirement.
Furthermore, we observe that there are also cases in which
cloud users themselves are content providers. They publish
data on cloud servers for sharing and need fine-grained data
access control in terms of which user (data consumer) has the
access privilege to which types of data. In the healthcare case,
for example, a medical center would be the data owner who
stores millions of healthcare records in the cloud. It would
allow data consumers such as doctors, patients, researchers
and etc, to access various types of healthcare records under
policies admitted by HIPAA. To enforce these access policies,
the data owners on one hand would like to take advantage of
the abundant resources that the cloud provides for efficiency
and economy; on the other hand, they may want to keep the
data contents confidential against cloud servers.
As a significant research area for system protection, data
access control has been evolving in the past thirty years and
various techniques [6]–[9] have been developed to effectively
implement fine-grained access control, which allows flexibility
in specifying differential access rights of individual users. Traditional
access control architectures usually assume the data
owner and the servers storing the data are in the same trusted
domain, where the servers are fully entrusted as an omniscient
reference monitor [10] responsible for defining and enforcing
access control policies. This assumption however no longer
holds in cloud computing since the data owner and cloud
servers are very likely to be in two different domains. On one
hand, cloud servers are not entitled to access the outsourced
data content for data confidentiality; on the other hand, the
data resources are not physically under the full control of the owner. For the purpose of helping the data owner enjoy
fine-grained access control of data stored on untrusted cloud
servers, a feasible solution would be encrypting data through
certain cryptographic primitive(s), and disclosing decryption
keys only to authorized users. Unauthorized users, including
cloud servers, are not able to decrypt since they do not have
the data decryption keys. This general method actually has
been widely adopted by existing works [11]–[14] which aim
at securing data storage on untrusted servers. One critical issue
with this branch of approaches is how to achieve the desired
security goals without introducing a high complexity on key
management and data encryption. These existing works, as
we will discuss in section V-C, resolve this issue either by
introducing a per file access control list (ACL) for fine-grained
access control, or by categorizing files into several f ilegroups
for efficiency. As the system scales, however, the complexity
of the ACL-based scheme would be proportional to the number
of users in the system. The f ilegroup-based scheme, on
the other hand, is just able to provide coarse-grained data
access control. It actually still remains open to simultaneously
achieve the goals of fine-grainedness, scalability, and data
confidentiality for data access control in cloud computing.
In this paper, we address this open issue and propose a
secure and scalable fine-grained data access control scheme
for cloud computing. Our proposed scheme is partially based
on our observation that, in practical application scenarios each
data file can be associated with a set of attributes which are
meaningful in the context of interest. The access structure of
each user can thus be defined as a unique logical expression
over these attributes to reflect the scope of data files that
the user is allowed to access. As the logical expression can
represent any desired data file set, fine-grainedness of data
access control is achieved. To enforce these access structures,
we define a public key component for each attribute. Data files
are encrypted using public key components corresponding to
their attributes. User secret keys are defined to reflect their
access structures so that a user is able to decrypt a ciphertext
if and only if the data file attributes satisfy his access structure.
Such a design also brings about the efficiency benefit, as
compared to previous works, in that, 1) the complexity of
encryption is just related the number of attributes associated
to the data file, and is independent to the number of users
in the system; and 2) data file creation/deletion and new user
grant operations just affect current file/user without involving
system-wide data file update or re-keying. One extremely
challenging issue with this design is the implementation of
user revocation, which would inevitably require re-encryption
of data files accessible to the leaving user, and may need
update of secret keys for all the remaining users. If all these
tasks are performed by the data owner himself/herself, it would
introduce a heavy computation overhead on him/her and may
also require the data owner to be always online. To resolve
this challenging issue, our proposed scheme enables the data
owner to delegate tasks of data file re-encryption and user
secret key update to cloud servers without disclosing data
contents or user access privilege information. We achieve our
design goals by exploiting a novel cryptographic primitive,
namely key policy attribute-based encryption (KP-ABE) [15], and uniquely combine it with the technique of proxy reencryption
(PRE) [16] and lazy re-encryption [11].
Main contributions of this paper can be summarized as
follows. 1) To the best of our knowledge, this paper is the first
that simultaneously achieves fine-grainedness, scalability and
data confidentiality for data access control in cloud computing;
2) Our proposed scheme enables the data owner to delegate
most of computation intensive tasks to cloud servers without
disclosing data contents or user access privilege information;
3) The proposed scheme is provably secure under the standard
security model. In addition, our proposed scheme is able to
support user accountability with minor extension.
The rest of this paper is organized as follows. Section II
discusses models and assumptions. Section III reviews some
technique preliminaries pertaining to our construction. Section
IV presents our construction. In section V, we analyze our
proposed scheme in terms of its security and performance.
We conclude this paper in Section VI.
II. MODELS AND ASSUMPTIONS
A. System Models
Similar to [17], we assume that the system is composed of
the following parties: the Data Owner, many Data Consumers,
many Cloud Servers, and a Third Party Auditor if necessary.
To access data files shared by the data owner, Data Consumers,
or users for brevity, download data files of their interest from
Cloud Servers and then decrypt. Neither the data owner nor
users will be always online. They come online just on the
necessity basis. For simplicity, we assume that the only access
privilege for users is data file reading. Extending our proposed
scheme to support data file writing is trivial by asking the data
writer to sign the new data file on each update as [12] does.
From now on, we will also call data files by files for brevity.
Cloud Servers are always online and operated by the Cloud
Service Provider (CSP). They are assumed to have abundant
storage capacity and computation power. The Third Party
Auditor is also an online party which is used for auditing every
file access event. In addition, we also assume that the data
owner can not only store data files but also run his own code
on Cloud Servers to manage his data files. This assumption
coincides with the unified ontology of cloud computing which
is recently proposed by Youseff et al. [18].
B. Security Models
In this work, we just consider Honest but Curious Cloud
Servers as [14] does. That is to say, Cloud Servers will follow
our proposed protocol in general, but try to find out as much
secret information as possible based on their inputs. More
specifically, we assume Cloud Servers are more interested
in file contents and user access privilege information than
other secret information. Cloud Servers might collude with a
small number of malicious users for the purpose of harvesting
file contents when it is highly beneficial. Communication
channel between the data owner/users and Cloud Servers are
assumed to be secured under existing security protocols such
as SSL. Users would try to access files either within or outside
the scope of their access privileges. To achieve this goal, unauthorized users may work independently or cooperatively.
In addition, each party is preloaded with a public/private key
pair and the public key can be easily obtained by other parties
when necessary.
C. Design Goals
Our main design goal is to help the data owner achieve
fine-grained access control on files stored by Cloud Servers.
Specifically, we want to enable the data owner to enforce a
unique access structure on each user, which precisely designates
the set of files that the user is allowed to access.
We also want to prevent Cloud Servers from being able to
learn both the data file contents and user access privilege
information. In addition, the proposed scheme should be able
to achieve security goals like user accountability and support
basic operations such as user grant/revocation as a general
one-to-many communication system would require. All these
design goals should be achieved efficiently in the sense that
the system is scalable.
III. TECHNIQUE PRELIMINARIES
A. Key Policy Attribute-Based Encryption (KP-ABE)
KP-ABE [15] is a public key cryptography primitive for
one-to-many communications. In KP-ABE, data are associated
with attributes for each of which a public key component is
defined. The encryptor associates the set of attributes to the
message by encrypting it with the corresponding public key
components. Each user is assigned an access structure which
is usually defined as an access tree over data attributes, i.e.,
interior nodes of the access tree are threshold gates and leaf
nodes are associated with attributes. User secret key is defined
to reflect the access structure so that the user is able to decrypt
a ciphertext if and only if the data attributes satisfy his access
structure. A KP-ABE scheme is composed of four algorithms
which can be defined as follows:
Setup This algorithm takes as input a security parameter κ
and the attribute universe U = {1, 2,...,N} of cardinality
N. It defines a bilinear group G1 of prime order p with a
generator g, a bilinear map e : G1 × G1 → G2 which has the
properties of bilinearity, computability, and non-degeneracy.
It returns the public key PK as well as a system master key
MK as follows
PK = (Y,T1, T2,...,TN )
MK = (y, t1, t2,...,tN )
where Ti ∈ G1 and ti ∈ Zp are for attribute i, 1 ≤ i ≤ N, and
Y ∈ G2 is another public key component. We have Ti = gti
and Y = e(g, g)y, y ∈ Zp. While PK is publicly known to
all the parties in the system, MK is kept as a secret by the
authority party.
Encryption This algorithm takes a message M, the public key
PK, and a set of attributes I as input. It outputs the ciphertext
E with the following format:
E = (I, E, ˜ {Ei}i∈I )
where E˜ = MY s, Ei = Ts
i , and s is randomly chosen from
Zp.
CONCLUSION
This paper aims at fine-grained data access control in cloud
computing. One challenge in this context is to achieve fine grainedness, data confidentiality, and scalability simultaneously,
which is not provided by current work. In this paper
we propose a scheme to achieve this goal by exploiting KPABE
and uniquely combining it with techniques of proxy
re-encryption and lazy re-encryption. Moreover, our proposed
scheme can enable the data owner to delegate most of computation
overhead to powerful cloud servers. Confidentiality
of user access privilege and user secret key accountability can
be achieved. Formal security proofs show that our proposed
scheme is secure under standard cryptographic models.