Contact at or 8097636691
Responsive Ads Here

Monday, 28 May 2018

On the Security of Data Access Control for Multiauthority Cloud Storage Systems

Data access control has becoming a challenging issue in cloud storage systems. Some techniques have been proposed to achieve the secure data access control in a semitrusted cloud storage system. Recently, K.Yang et al.proposed a basic data access control scheme for multi-authority cloud storage system (DAC-MACS) and an extensive data access control scheme (EDAC-MACS). They claimed that the DAC-MACS could achieve efficient decryption and immediate revocation and the EDAC-MACS could also achieve these goals even though non-revoked users reveal their Key Update Keys to the revoked user. However, through our cryptanalysis, the revocation security of both schemes cannot be guaranteed. In this paper, we first give two attacks on the two schemes. By the first attack, the revoked user can eavesdrop to obtain other users’ Key Update Keys to update its Secret Key, and then it can obtain proper Token to decrypt any secret information as a non-revoked user. In addition, by the second attack, the revoked user can intercept Ciphertext Update Key to retrieve its ability to decrypt any secret information as a non-revoked user. Secondly, we propose a new extensive DAC-MACS scheme (NEDAC-MACS) to withstand the above two attacks so as to guarantee more secure attribute revocation. Then, formal cryptanalysis of NEDAC-MACS is presented to prove the security goals of the scheme. Finally, the performance comparison among NEDAC-MACS and related schemes is given to demonstrate that the performance of NEDAC-MACS is superior to that of DACC, and relatively same as that of DAC-MACS.
  • Due to data outsourcing and untrusted cloud servers, the data access control becomes a challenging issue in cloud storage systems.
  • Existing access control schemes are no longer applicable to cloud storage systems, because they either produce multiple encrypted copies of the same data or require a fully trusted cloud server.
  • Cloud storage service separates the roles of the data owner from the data service provider, and the data owner does not interact with the user directly for providing data access service, which makes the data access control a challenging issue in cloud storage systems.
  • The cloud server cannot be fully trusted by data owners, traditional server-based access control methods are no longer applicable to cloud storage systems.
  • We first construct a new multi-authority CPABE scheme with efficient decryption and design an efficient attribute revocation method for it. Then, we apply them to design an effective access control scheme for multi-authority systems. The main contributions of this work can be summarized as follows.
  • We propose DAC-MACS (Data Access Control for Multi-Authority Cloud Storage), an effective and secure data access control scheme for multi-authority cloud storage systems, which is provably secure in the random oracle model and has better performance than existing schemes.
  • We construct a new multi-authority CP-ABE scheme with efficient decryption. Specifically, we outsource the main computation of the decryption by using a token based decryption method.
  • We also design an efficient immediate attribute revocation method for multi-authority CP-ABE scheme that achieves both forward security and backward security. It is efficient in the sense that it incurs less communication cost and computation cost of the revocation.
  • NEDAC-MACS can withstand the two vulnerabilities even though the non-revoked users reveal their received key update keys to the revoked user.
  • The performance simulation shows the overall storage, computation, and communication overheads of the NEDAC-MACS are superior to that of DACC and relatively same as that of DAC-MACS.

  1. Global trusted certificate authority
  2. Attribute Authority
  3. Cloud Server
  4. Data Owner
  5. User

  1. Global trusted certificate authority:
The CA is a global trusted certificate authority in the system. It sets up the system and accepts the registration of all the users and AAs in the system. The CA is responsible for the distribution of global secret key and global public key for each
legal user in the system. However, the CA is not involved in any attribute management and the creation of secret keys that are associated with attributes. For example, the CA can be the Social Security Administration, an independent agency of the United States government. Each user will be issued a Social Security Number (SSN) as its global identity.
  1. Attribute Authority:
Every AA is an independent attribute authority that is responsible for issuing, revoking and updating user’s attributes according to their role or identity in its domain. In DACMACS, every attribute is associated with a single AA, but each AA can manage an arbitrary number of attributes. Every AA has full control over the structure and semantics of its attributes. Each AA is responsible for generating a public attribute key for each attribute it manages and a secret key for each user associates with their attributes. 
  1. Cloud Server:
The cloud server stores the owners’ data and provides data access service to users. It generates the decryption token of a ciphertext for the user by using the secret keys of the user issued by the AAs. The server also does the ciphertext update when an attribute revocation happens.
  1. Data Owner:
The data owners define the access policies and encrypt the data under the policies before hosting them in the cloud. They do not rely on the server to do the data access control. Instead, the ciphertext can be accessed by all the legal users in the system. But, the access control happens inside the cryptography. That is only when the user’s attributes satisfy the access policy defined in the ciphertext, the user can decrypt the ciphertext.
  1. User:
Each user is assigned with a global user identity from the CA. Each user can freely get the ciphertexts from the server. To decrypt a ciphertext, each user may submit their secret keys issued by some AAs together with its global public key to the server and ask it to generate an decryption token for some ciphertext. Upon receiving the decryption token, the user can decrypt the ciphertext by using its global secret key. Only when the user’s attributes satisfy the access policy defined in the ciphertext, the server can generate the correct decryption token. The secret keys and the global user’s public key can be stored on the server; subsequently, the user does not need to submit any secret keys if no secret keys are updated for the further decryption token generation.
  • System :         Pentium IV 2.4 GHz.
  • Hard Disk :         40 GB.
  • Floppy Drive : 44 Mb.
  • Monitor : 15 VGA Colour.
  • Mouse : Logitech
  • Ram : 512 Mb.
  • Operating system : Windows XP/7.
  • Coding Language : JAVA/J2EE
  • IDE : Eclipse Luna
  • Database : MYSQL
Xianglong Wu, Rui Jiang, and Bharat Bhargava, Fellow, IEEE, “On the Security of Data Access Control for Multiauthority Cloud Storage Systems”, IEEE Transactions on Services Computing, 2017.

No comments:

Post a Comment