1 Achieving Secure,Scalable,and Fine-grained Data Access Control in Cloud Computing
Shucheng Yu∗,Cong Wang†,Kui Ren†,and Wenjing Lou∗
∗Dept.of ECE,Worcester Polytechnic Institute,Email:{yscheng,wjlou}@ece.wpi.edu
†Dept.of ECE,Illinois Institute of Technology,Email:{cong,kren}@ece.iit.edu
古诗百首
Abstract—Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as rvices over the Internet.As promising as it is, this paradigm also brings forth many new challenges for data curity and access control when urs outsource nsitive data for sharing on cloud rvers,which are not within the same trusted domain as data owners.To keep nsitive ur data confidential against untrusted rvers,existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized urs.However,in doing so,the solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management whenfine-grained data access control is desired,and thus do not scale well.The problem of simultaneously achievingfine-grainedness, scalability,and data confidentiality of access control actually still remains unresolved.This paper address this challenging open issue by,on one hand,defining and enforcing access policies bad
on data attributes,and,on the other hand,allowing the data owner to delegate most of the computation tasks involved infine-grained data access control to untrusted cloud rvers without disclosing the underlying data contents.We achieve this goal by exploiting and uniquely combining techniques of attribute-bad encryption(ABE),proxy re-encryption,and lazy re-encryption. Our propod scheme also has salient properties of ur access privilege confidentiality and ur cret key accountability.Exten-sive analysis shows that our propod scheme is highly efficient and provably cure under existing curity models.
I.I NTRODUCTION
Cloud computing is a promising computing paradigm which recently has drawn extensive attention from both academia and industry.By combining a t of existing and new techniques from rearch areas such as Service-Oriented Architectures (SOA)and virtualization,cloud computing is regarded as such a computing paradigm in which resources in the computing infrastructure are provided as rvices over the Internet.Along with this new paradigm,various business models are devel-oped,which can be described by terminology of“X as a rvice(XaaS)”[1]where X could be software,hardware, data storage,and etc.Successful examples are Amazon’s EC2 and S3[2],Google App Engine[3],and Microsoft Azure[4] which provide urs with scalable resources in the pay-as-you-
u fashion at relatively low prices.For example,Amazon’s S3 data storage rvice just charges$0.12to$0.15per gigabyte-month.As compared to building their own infrastructures, urs are able to save their investments significantly by migrat-ing business into the cloud.With the increasing development of cloud computing technologies,it is not hard to imagine that in the near future more and more business will be moved into the cloud.
As promising as it is,cloud computing is also facing many challenges that,if not well resolved,may impede its fast growth.Data curity,as it exists in many other applications, is among the challenges that would rai great concerns from urs when they store nsitive information on cloud rvers.The concerns originate from the fact that cloud rvers are usually operated by commercial providers which are very likely to be outside of the trusted domain of the urs. Data confidential against cloud rvers is hence frequently desired when urs outsource data for storage in the cloud.In some practical application systems,data confidentiality is not only a curity/privacy issue,but also of juristic concerns.For example,in healthcare application scenarios u and disclosure of protected health information(PHI)should meet the require-ments of Health Insurance Portability and Accountability Act (HIPAA)[5],and keeping ur data confidential against the storage rvers is not just an option,but a requirement. Furthermore,we obrve that there are also cas in
which cloud urs themlves are content providers.They publish data on cloud rvers for sharing and needfine-grained data access control in terms of which ur(data consumer)has the access privilege to which types of data.In the healthcare ca, for example,a medical center would be the data owner who stores millions of healthcare records in the cloud.It would allow data consumers such as doctors,patients,rearchers and etc,to access various types of healthcare records under policies admitted by HIPAA.To enforce the access policies, the data owners on one hand would like to take advantage of the abundant resources that the cloud provides for efficiency and economy;on the other hand,they may want to keep the data contents confidential against cloud rvers.
As a significant rearch area for system protection,data access control has been evolving in the past thirty years and various techniques[6]–[9]have been developed to effectively implementfine-grained access control,which allowsflexibility in specifying differential access rights of individual urs.Tra-ditional access control architectures usually assume the data owner and the rvers storing the data are in the same trusted domain,where the rvers are fully entrusted as an omniscient reference monitor[10]responsible for defining and enforcing access control policies.This assumption however no longer holds in cloud computing since the data owner and cloud rvers are
very likely to be in two different domains.On one hand,cloud rvers are not entitled to access the outsourced data content for data confidentiality;on the other hand,the data resources are not physically under the full control of
2
the owner.For the purpo of helping the data owner enjoy fine-grained access control of data stored on untrusted cloud rvers,a feasible solution would be encrypting data through certain cryptographic primitive(s),and disclosing decryption keys only to authorized urs.Unauthorized urs,including cloud rvers,are not able to decrypt since they do not have the data decryption keys.This general method actually has been widely adopted by existing works[11]–[14]which aim at curing data storage on untrusted rvers.One critical issue with this branch of approaches is how to achieve the desired curity goals without introducing a high complexity on key management and data encryption.The existing works,as we will discuss in ction V-C,resolve this issue either by introducing a perfile access control list(ACL)forfine-grained access control,or by categorizingfiles into veral filegroups for efficiency.As the system scales,however,the complexity of the ACL-bad scheme would be proportional to the number of urs in the system.The filegroup-bad scheme,on the other hand,is just able to provide coar-grained data access control.It actually still remains open
to simultaneously achieve the goals offine-grainedness,scalability,and data confidentiality for data access control in cloud computing.
In this paper,we address this open issue and propo a cure and scalablefine-grained data access control scheme for cloud computing.Our propod scheme is partially bad on our obrvation that,in practical application scenarios each datafile can be associated with a t of attributes which are meaningful in the context of interest.The access structure of each ur can thus be defined as a unique logical expression over the attributes to reflect the scope of datafiles that the ur is allowed to access.As the logical expression can reprent any desired datafile t,fine-grainedness of data access control is achieved.To enforce the access structures, we define a public key component for each attribute.Datafiles are encrypted using public key components corresponding to their attributes.Ur cret keys are defined to reflect their access structures so that a ur is able to decrypt a ciphertext if and only if the datafile attributes satisfy his access structure. Such a design also brings about the efficiency benefit,as compared to previous works,in that,1)the complexity of encryption is just related the number of attributes associated to the datafile,and is independent to the number of urs in the system;and2)datafile creation/deletion and new ur grant operations just affect currentfile/ur without involving system-wide datafile update or re-keying.One extremely chall
enging issue with this design is the implementation of ur revocation,which would inevitably require re-encryption of datafiles accessible to the leaving ur,and may need update of cret keys for all the remaining urs.If all the tasks are performed by the data owner himlf/herlf,it would introduce a heavy computation overhead on him/her and may also require the data owner to be always online.To resolve this challenging issue,our propod scheme enables the data owner to delegate tasks of datafile re-encryption and ur cret key update to cloud rvers without disclosing data contents or ur access privilege information.We achieve our design goals by exploiting a novel cryptographic primitive, namely key policy attribute-bad encryption(KP-ABE)[15],and uniquely combine it with the technique of proxy re-encryption(PRE)[16]and lazy re-encryption[11].
Main contributions of this paper can be summarized as follows.1)To the best of our knowledge,this paper is thefirst that simultaneously achievesfine-grainedness,scalability and data confidentiality for data access control in cloud computing;
2)Our propod scheme enables the data owner to delegate most of computation intensive tasks to cloud rvers without disclosing data contents or ur access privilege information;
3)The propod scheme is provably cure under the standard curity model.In addition,our propod scheme is able to support ur accountability with minor extension.
The rest of this paper is organized as follows.Section II discuss models and assumptions.Section III reviews some technique preliminaries pertaining to our construction.Section IV prents our construction.In ction V,we analyze our propod scheme in terms of its curity and performance. We conclude this paper in Section VI.
II.M ODELS AND A SSUMPTIONS
A.System Models
Similar to[17],we assume that the system is compod of the following parties:the Data Owner,many Data Consumers, many Cloud Servers,and a Third Party Auditor if necessary. To access datafiles shared by the data owner,Data Consumers, or urs for brevity,download datafiles of their interest from Cloud Servers and then decrypt.Neither the data owner nor urs will be always online.They come online just on the necessity basis.For simplicity,we assume that the only access privilege for urs is datafile reading.Extending our propod scheme to support datafile writing is trivial by asking the data writer to sign the new datafile on each update as[12]does. From now on,we will also
call datafiles byfiles for brevity. Cloud Servers are always online and operated by the Cloud Service Provider(CSP).They are assumed to have abundant storage capacity and computation power.The Third Party Auditor is also an online party which is ud for auditing every file access event.In addition,we also assume that the data owner can not only store datafiles but also run his own code on Cloud Servers to manage his datafiles.This assumption coincides with the unified ontology of cloud computing which is recently propod by Youff et al.[18].
B.Security Models
In this work,we just consider Honest but Curious Cloud Servers as[14]does.That is to say,Cloud Servers will follow our propod protocol in general,but try tofind out as much cret information as possible bad on their inputs.More specifically,we assume Cloud Servers are more interested infile contents and ur access privilege information than other cret information.Cloud Servers might collude with a small number of malicious urs for the purpo of harvesting file contents when it is highly beneficial.Communication channel between the data owner/urs and Cloud Servers are assumed to be cured under existing curity protocols such as SSL.Urs would try to accessfiles either within or outside the scope of their access privileges.To achieve this goal,
3
unauthorized urs may work independently or cooperatively. In addition,each party is preloaded with a public/private key pair and the public key can be easily obtained by other parties when necessary.
C.Design Goals
Our main design goal is to help the data owner achieve fine-grained access control onfiles stored by Cloud Servers. Specifically,we want to enable the data owner to enforce a unique access structure on each ur,which precily des-ignates the t offiles that the ur is allowed to access. We also want to prevent Cloud Servers from being able to learn both the datafile contents and ur access privilege information.In addition,the propod scheme should be able to achieve curity goals like ur accountability and support basic operations such as ur grant/revocation as a general one-to-many communication system would require.All the design goals should be achieved efficiently in the n that the system is scalable.
银鱼炒蛋
III.T ECHNIQUE P RELIMINARIES
A.Key Policy Attribute-Bad Encryption(KP-ABE)
KP-ABE[15]is a public key cryptography primitive for one-to-many communications.In KP-ABE,data are associated with attributes for each of which a public key component is defined.The encryptor associates the t of attributes to the message by encrypting it with the corresponding public key components.Each ur is assigned an access structure which is usually defined as an access tree over data , interior nodes of the access tree are threshold gates and leaf nodes are associated with attributes.Ur cret key is defined to reflect the access structure so that the ur is able to decrypt a ciphertext if and only if the data attributes satisfy his access structure.A KP-ABE scheme is compod of four algorithms which can be defined as follows:
Setup This algorithm takes as input a curity parameterκand the attribute univer U={1,2,...,N}of cardinality N.It defines a bilinear group G1of prime order p with a generator g,a bilinear map e:G1×G1→G2which has the properties of bilinearity,computability,and non-degeneracy. It returns the public key P K as well as a system master key MK as follows
P K=(Y,T1,T2,...,T N)
MK=(y,t1,t2,...,t N)
where T i∈G1and t i∈Z p are for attribute i,1≤i≤N,and Y∈G2is another public key component.We hav
e T i=g t i and Y=e(g,g)y,y∈Z p.While P K is publicly known to all the parties in the system,MK is kept as a cret by the authority party.
Encryption This algorithm takes a message M,the public key P K,and a t of attributes I as input.It outputs the ciphertext E with the following format:
E=(I,˜E,{E i}i∈I)
where˜E=MY s,E i=T s i,and s is randomly chon from Z p.Key Generation This algorithm takes as input an access tree T,the master key MK,and the public key P K.It outputs a ur cret key SK as follows.First,it defines a random polynomial p i(x)for each node i of T in the top-down manner starting from the root node r.For each non-root node j, p j(0)=p parent(j)(idx(j))where parent(j)reprents j’s parent and idx(j)is j’s unique index given by its parent.For the root node r,p r(0)=y.Then it outputs SK as follows.
SK={sk i}i∈L
where L denotes the t of attributes attached to the leaf nodes of T and sk i=g p i(0)t i.
Decryption This algorithm takes as input the ciphertext E encrypted under the attribute t I,the ur’
s cret key SK for access tree T,and the public key P K.Itfirst computes e(E i,sk i)=e(g,g)p i(0)s for leaf nodes.Then,it aggregates the pairing results in the bottom-up manner using the polynomial interpolation technique.Finally,it may recover the blind factor Y s=e(g,g)ys and output the message M if and only if I satisfies T.
Plea refer to[15]for more details on KP-ABE algorithms.
[19]is an enhanced KP-ABE scheme which supports ur cret key accountability.
平拉开B.Proxy Re-Encryption(PRE)
Proxy Re-Encryption(PRE)is a cryptographic primitive in which a mi-trusted proxy is able to convert a ciphertext encrypted under Alice’s public key into another ciphertext that can be opened by Bob’s private key without eing the underlying plaintext.More formally,a PRE scheme allows the proxy,given the proxy re-encryption key rk a↔b,to translate ciphertexts under public key pk a into ciphertexts under public key pk b and vi versa.Plea refer to[16]for more details on proxy re-encryption schemes.
IV.O UR P ROPOSED S CHEME
A.Main Idea
In order to achieve cure,scalable andfine-grained access control on outsourced data in the cloud,we utilize and uniquely combine the following three advanced cryptograh-phic techniques:KP-ABE,PRE and lazy re-encryption.More specifically,we associate each datafile with a t of attributes, and assign each ur an expressive access structure which is defined over the attributes.To enforce this kind of access control,we utilize KP-ABE to escort data encryption keys of datafiles.Such a construction enables us to immediately enjoy fine-grainedness of access control.However,this construc-tion,if deployed alone,would introduce heavy computation overhead and cumbersome online burden towards the data owner,as he is in charge of all the operations of data/ur management.Specifically,such an issue is mainly caud by the operation of ur revocation,which inevitabily requires the data owner to re-encrypt all the datafiles accessible to the leaving ur,or even needs the data owner to stay online to update cret keys for urs.To resolve this challenging issue and make the construction suitable for cloud computing, we uniquely combine PRE with KP-ABE and enable the
!
Fig.1:An examplary ca in the healthcare scenario防电信诈骗图片
data owner to delegate most of the computation intensive operations to Cloud Servers without disclosing the underlying file contents.Such a construction allows the data owner to control access of his data files with a minimal overhead in terms of computation effort and online time,and thus fits well into the cloud environment.Data confidentiality is also achieved since Cloud Servers are not able to learn the plaintext of any data file in our construction.For further reducing the computation overhead on Cloud Servers and thus saving the data owner’s investment,we take advantage of the lazy re-encryption technique and allow Cloud Servers to “aggregate”computation tasks of multiple system operations.As we will discuss in ction V-B,the computation complexity on Cloud Servers is either proportional to the number of system attributes,or linear to the size of the ur access structure/tree,which is independent to the number of urs in the system.Scalability is thus achieved.In addition,our construction also protects ur access privilege information against Cloud Servers.Accoutability of ur cret key can also be achieved by using an enhanced scheme of KP-ABE.B.Definition and Notation
For each data file the owner assigns a t of meaningful attributes which are necessary for access control.Different data files can have a subt of attributes in common.Each attribute is associated with a version number for the purpo of attribute update as we will discuss later.Cloud Servers keep
an attribute history list AHL which records the version evolution history of each attribute and PRE keys ud.In addition to the meaningful attributes,we also define one dummy attribute,denoted by symbol Att D for the purpo of key management.Att D is required to be included in every data file’s attribute t and will never be updated.The access structure of each ur is implemented by an access tree.Interior nodes of the access tree are threshold gates.Leaf nodes of the access tree are associated with data file attributes.For the purpo of key management,we require the root node to be an AND gate (i.e.,n -of-n threshold gate)with one child being the leaf node which is associated with the dummy attribute,and the other child node being any threshold gate.The dummy attribute will not be attached to any other node in the access tree.Fig.1illustrates our definitions by an example.In addition,Cloud Servers also keep a ur list UL which records ID s of all the valid urs in the system.Fig.2gives the description of notation to be ud in our scheme.
Notation Description
P K,MK system public key and master key T i public key component for attribute i t i master key component for attribute i SK ur cret key
sk i ur cret key component for attribute i E i ciphertext component for attribute i I
attribute t assigned to a data file
DEK symmetric data encryption key of a data file P ur access structure
L P t of attributes attached to leaf nodes of P Att D the dummy attribute UL the system ur list
AHL i attribute history list for attribute i
rk i ↔i proxy re-encryption key for attribute i from its current version to the updated version i δO,X the data owner’s signature on message X
Fig.2:Notation ud in our scheme description C.Scheme Description
For clarity we will prent our propod scheme in two levels:System Level and Algorithm Level .At system level,we describe the implementation of high level ,System Setup ,New File Creation ,New Ur Grant ,and Ur Revocation ,File Access ,File Deletion ,and the interaction between involved parties.At algorithm level,we focus on the implementation of low level algorithms that are invoked by system level operations.
1)System Level Operations:System level operations in our propod scheme are designed as follows.
System Setup In this operation,the data owner choos a curity parameter κand calls the algorithm level interface ASetup (κ),which outputs the system public parameter P K and the system master key MK .The data owner then signs each component of P K and nds P K along with the signatures to Cloud Servers.
New File Creation Before uploading a file to Cloud Servers,the data owner process the data file as follows.•lect a unique ID for this data file;
•randomly lect a symmetric data encryption key
DEK R
←K ,where K is the key space,and encrypt the data file using DEK ;
•define a t of attribute I for the data file and en-crypt DEK with I using ,(˜E,
{E i }i ∈I )←AEncrypt (I ,DEK ,P K ).
header body
ID
I,˜E,
{E i }i ∈I {DataF ile }DEK
Fig.3:Format of a data file stored on the cloud Finally,each data file is stored on the cloud in the format as is shown in Fig.3.
New Ur Grant When a new ur wants to join the system,the data owner assigns an access structure and the correspond-ing cret key to this ur as follows.
//to revoke ur v
//stage1:attribute update.
The Data Owner Cloud Servers
1.D←AMinimalSet(P),where P is v’s access structure;remove v from the system ur list UL;
2.for each attribute i in D for each attribute i∈D
(t i,T i,rk i↔i )←AUpdateAtt(i,MK);Att
−−−−−→store(i,T i,δO,(i,T
i ) );
3.nd Att=(v,D,{i,T i,δO,(i,T
i )
,rk i↔i }i∈D).add rk i↔i to i’s history list AHL i.
//stage2:datafile and ur cret key update.
Cloud Servers Ur(u) 1.on receiving REQ,proceed if u∈UL;
< the tuple(u,{j,sk j}j∈L
P \Att D
); 1.generate datafile access request REQ;
for each attribute j∈L P\Att D REQ
←−−−−−− 2.wait for the respon from Cloud Servers;
sk j←AUpdateSK(j,sk j,AHL j);
for each requestedfile f in REQ 3.on receiving RESP,verify eachδO,(j,T
j
) for each attribute k∈I f RESP
−−−−−−−→and sk j;proceed if all correct;
E k ←A UpdateAtt4File(k,E k,AHL k); 4.replace each sk j in SK with sk j;
3.nd RESP=({j,sk j,T j,δO,(j,T有关于花的诗句
j )
}j∈L
P
\Att D蕴的意思
,F L). 5.decrypt eachfile in F L with SK.
Fig.4:Description of the process of ur revocation
•assign the new ur a unique identity w and an access
structure P;
•generate a cret key SK for ,SK←
AKeyGen(P,MK);
•encrypt the tuple(P,SK,P K,δO,(P,SK,P K))with ur西红柿土豆牛腩
w’s public key,denoting the ciphertext by C;
•nd the tuple(T,C,δO,(T,C))to Cloud Servers,where
T denotes the tuple(w,{j,sk j}j∈L
P \Att D
).
On receiving the tuple(T,C,δO,(T,C)),Cloud Servers pro-cess as follows.
•verifyδO,(T,C)and proceed if correct;
•store T in the system ur list UL;
•forward C to the ur.
On receiving C,the urfirst decrypts it with his private key.Then he verifies the signatureδO,(P,SK,P K).If correct, he accepts(P,SK,P K)as his access structure,cret key, and the system public key.
入口英文
As described above,Cloud Servers store all the cret key components of SK except for the one corresponding to the dummy attribute Att D.Such a design allows Cloud Servers to update the cret key components during ur revocation as we will describe soon.As there still exists one undisclod cret key component(the one for Att D),Cloud Servers can not u the known ones to correctly decrypt ciphertexts. Actually,the disclod cret key components,if given to any unaut
horized ur,do not give him any extra advantage in decryption as we will show in our curity analysis. Ur Revocation We start with the intuition of the ur revocation operation as follows.Whenever there is a ur to be revoked,the data ownerfirst determines a minimal t of attributes without which the leaving ur’s access structure will never be satisfied.Next,he updates the attributes by redefining their corresponding system master key components in MK.Public key components of all the updated attributes in P K are redefined accordingly.Then,he updates ur cret keys accordingly for all the urs except for the one to be revoked.Finally,DEK s of affected datafiles are re-encrypted with the latest version of P K.The main issue with this intuitive scheme is that it would introduce a heavy computation overhead for the data owner to re-encrypt datafiles and might require the data owner to be always online to provide cret key update rvice for urs.To resolve this issue,we combine the technique of proxy re-encryption with KP-ABE and delegate tasks of datafile re-encryption and ur cret key update to Cloud Servers.More specifically,we divide the ur revocation scheme into two stages as is shown in Fig.4. In thefirst stage,the data owner determines the minimal t of attributes,redefines MK and P K for involved attributes, and generates the corresponding PRE keys.He then nds the ur’s ID,the minimal attribute t,the PRE keys,the updated public key components,along with his signatures on the components to Cloud Servers,and can go off-line again. Cloud Servers,on receiving this message from the data owner, re
move the revoked ur from the system ur list UL,store the updated public key components as well as the owner’s signatures on them,and record the PRE key of the latest version in the attribute history list AHL for each updated attribute.AHL of each attribute is a list ud to record the version evolution history of this attribute as well as the PRE keys ud.Every attribute has its own AHL.With AHL, Cloud Servers are able to compute a single PRE key that enables them to update the attribute from any historical version to the latest version.This property allows Cloud Servers to update ur cret keys and datafiles in the“lazy”way as follows.Once a ur revocation event occurs,Cloud Servers just record information submitted by the data owner as is previously discusd.If only there is afile data access request from a ur,do Cloud Servers re-encrypt the requestedfiles and update the requesting ur’s cret key.This statistically saves a lot of computation overhead since Cloud Servers are
