Download to read offline
![International Journal of Science and Engineering Applications Volume 5 Issue 2, 2016, ISSN-2319-7560 (Online) www.ijsea.com 73 A Privacy Preserving Attribute Based Access Control Mechanism In Distributed Environment for Cloud Storage Sneha Lihite Department of Computer Science and Engineering BIT,Ballarpur,India Bhushan Ugale Department of Computer Science and Engineering BIT,Ballarpur,India Abstract: We propose a new decentralized access control scheme for secure data storage in clouds that supports anonymous authentication. In the proposed scheme, the cloud verifies the authenticity of the series without knowing the user’s identity before storing data. Our scheme also has the added feature of access control in which only valid users are able to decrypt the stored information. The scheme prevents replay attacks and supports creation, modification, and reading data stored in the cloud. We also address user revocation. Moreover, our authentication and access control scheme is decentralized and robust, unlike other access control schemes designed for clouds which are centralized. The communication, computation, and storage overheads are comparable to centralized approaches. Keywords: Access control, authentication, attribute-based signatures, attribute-based encryption, cloud storage. 1. INTRODUCTION Research in cloud computing is receiving a lot of attention from both academic and industrial worlds. In cloud computing, users can outsource their computation and storage to servers (also called clouds) using Internet. Clouds can provide several types of services like applications (e.g., Google Apps, Microsoft online), infrastructures (e.g., Amazon’s EC2, Eucalyptus, Nimbus), and platforms to help developers write applications (e.g., Amazon’s S3, Windows Azure). Much of the data stored in clouds is highly sensitive, for example, medical records and social networks. Security and privacy are thus very important issues in cloud computing. In one hand, the user should authenticate itself before initiating any transaction, and on the other hand, it must be ensured that the cloud or other users do not know the identity of the user. The cloud can hold the user accountable for the data it outsources, and likewise, the cloud itself accountable for the services it provides[1]. The validity of the user who stores the data is also verified. Apart from the technical solutions to ensure security and privacy, there is also a need for law enforcement.Cloud servers are prone to Byzantine failure, where a storage server can fail in arbitrary ways. The cloud is also prone to data modification and server colluding attacks. In server colluding attack, the adversary can compromise storage servers, so that it can modify data files as long as they are internally consistent[2]. To provide secure data storage, the data needs to be encrypted. However, the data is often modified and this dynamic property needs to be taken into account while designing efficient secure storage techniques[7]. Efficient search on encrypted data is also an important concern in clouds. The clouds should not know the query but should be able to return the records that satisfy the query. This is achieved by means of searchable encryption. Access control in clouds is gaining attention because it is important that only authorized users have access to valid service[3]. A huge amount of information is being stored in the cloud, and much of this is sensitive information. Care should be taken to ensure access control of this sensitive information which can often related to health, important documents (as in Google Docs or Dropbox) or even personal information (as in social networking)[2].Access control is also gaining importance in online social networking where users (members) store their personal information, pictures, videos and share them with selected groups of users or communities they belong to. It is not just enough to store the contents securely in the cloud but it might also be necessary to ensure anonymity of the user. For example, a user would like to store some sensitive information but does not want to be recognized. The user might want to post a comment on an article, but does not want his/her identity to be disclosed[3]. However, the user should be able to prove to the other users that he/she is a valid user who stored the information without revealing the identity. Existing work on access control in cloud are centralized in nature. Even if some decentralized approaches were proposed does not support authentication. Earlier work provides privacy preserving authenticated access control in cloud[1]. However, the authors take a centralized approach where single key distribution center (KDC) distributes secret keys and attributes to all users[6]. 1.1 Our Contributions The main contributions of this paper are the following: 1. Distributed access control of data stored in cloud so that only authorized users with valid attributes can access them.](https://image.slidesharecdn.com/ijsea05021005-160420094105/75/A-Privacy-Preserving-Attribute-Based-Access-Control-Mechanism-In-Distributed-Environment-for-Cloud-Storage-1-2048.jpg)
![International Journal of Science and Engineering Applications Volume 5 Issue 2, 2016, ISSN-2319-7560 (Online) www.ijsea.com 74 2. Authentication of users who store and modify their data on the cloud. 3. The identity of the user is protected from the cloud during authentication. 4. The architecture is decentralized, meaning that there can be several KDCs for key management. 5. The access control and authentication are both collusion resistant, meaning that no two users can collude and access data or authenticate themselves, if they are individually not authorized. 6. Revoked users cannot access data after they have been revoked. 7. The proposed scheme is resilient to replay attacks. A writer whose attributes and keys have been revoked cannot write back stale information. 8. The protocol supports multiple read and write on the data stored in the cloud. 9. The costs are comparable to the existing centralized approaches, and the expensive operations are mostly done by the cloud. 2. EXISTING ARCHITECTURE The pictorial overview of the existing architecture is depicted in Fig. 1.Existing access control architecture in cloud are centralized in nature. Fig. 1 Single KDC architecture The scheme uses a symmetric key approach and does not support authentication. Earlier work provides privacy preserving authenticated access control in cloud. However, the authors take a centralized approach where single key distribution center (KDC) distributes secret keys and attributes to all users. Unfortunately, a single KDC is not only a single point of failure but difficult to maintain because of large number of users that are supported in a cloud environment. We, therefore, emphasize that clouds should take a decentralized approach while distributing secret keys and attribute to users. It is also quite natural for clouds to have may KDCs in different locations in the world[1]. 3. PROPOSED ARCHITECTURE The Single KDC architecture with no anonymous authentication makes it more complicated and it also increases the storage overhead at the single KDC. Fig. 2 Decentralized KDC architecture The pictorial overview of the decentralized KDC is depicted in Fig. 2.The proposed decentralized architecture, also authenticate users, who want to remain anonymous while accessing the cloud[1]. We proposed a distributed access control mechanism in clouds. In the preliminary version of this paper, we extend the previous work with added features which enables to authenticate the validity of the message without revealing the identity of user who has stored information in the cloud. In this paper, we also address user revocation. We use attribute based signature scheme to achieve authenticity and privacy[12]. Our scheme is resistant to replay attacks, in which user can replace fresh data with stale data from previous write, even if it no longer has valid claim policy. This is an important property because a user, revoked of its attributes, might no longer be able to write to the cloud[2]. The proposed architecture consists of the following modules. The decentralized Key Distribution Centre architecture here considers two KDC[4]. The pictorial representation of the overall flow of the proposed architecture is depicted in Fig. 2a. Fig 2a.Overall flow diagram 1. Service Request to TPA: The user registers with the original identity and enrolls with the Third Party Authenticator(TPA).The user sends request to the Third Party Authenticator(TPA) for registration 2. TPA Policy Creation: The TPA along with token provides the rules and regulation to be followed by Creator, Reader and Writer.](https://image.slidesharecdn.com/ijsea05021005-160420094105/75/A-Privacy-Preserving-Attribute-Based-Access-Control-Mechanism-In-Distributed-Environment-for-Cloud-Storage-2-2048.jpg)
![International Journal of Science and Engineering Applications Volume 5 Issue 2, 2016, ISSN-2319-7560 (Online) www.ijsea.com 75 3. User File Upload: The file creator after getting proper authentication encrypts the file and uploads his files in the cloud. 4. KDC Key Generation: The Key Distribution Centers which are decentralized generate different keys to different types of users after getting tokens from users. 5. Key Revocation: Whenever there is miss behavior detected upon a user his key is revoked and that particular user can neither use or re-enter the cloud environment. 6. Cloud Admin: Cloud admin has the list of Key Distribution Centres (KDCs) and Third Party Authenticator(TPA). The cloud admin sets the norms to be followed by TPA and KDC. It monitors the key generation policies and informs abnormal behaviours. 4. COMPARISON OF OUR SCHEME WITH EXISTING ACCESS CONTROL SCHEMES Fig. 3 Comparison with other access control schemes 5.CONCLUSION AND FUTURE WORK We have presented a decentralized access control technique with anonymous authentication, which provides user revocation and prevents replay attacks. The cloud does not know the identity of the user who stores information, but only verifies the user’s credentials. Key distribution is done in a decentralized way. One limitation is that the cloud knows the access policy for each record stored in the cloud. In next phase, we would like to hide the attributes and access policy of a user. This project can overcome the top threats identified in clouds which are identified recently. The threats that can be overcome are data loss, insecure APIs, Denial of Service, abuse of cloud services, shared technology issues. 6.ACKNOWLEDGMENTS I would like to extend my gratitude to many people who helped me to bring this paper fruition. First I would like to thank Prof. Bhushan Ugale. I am so deeply grateful for his help, professionalism, and valuable guidance throughout this paper. I would also like to thank to my friends and colleague. This accomplishment would not have been possible without them. Thank you. 7.REFERENCES [1] Sushmita Ruj, Milos Stojmenovic, Amiya Nayak, "Decentralized Access Control with Anonymous Authentication for Securing Data in Clouds,"IEEE Transactions on Parallel and Distributed Systems, pp. 1045- 9219, 2013. [2] S. Ruj, M. Stojmenovic and A. Nayak, “Privacy Preserving Access Control with Authentication for Securing Data in Clouds”, IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 556–563, 2012. [3] C. Wang, Q. Wang, K. Ren, N. Cao and W. Lou, “Toward Secure and Dependable Storage Services in Cloud Computing”, IEEE T. Services Computing, vol. 5, no. 2, pp. 220–232, 2012. [4] J. Li, Q. Wang, C. Wang, N. Cao, K. Ren, and W. Lou, “Fuzzy keyword search over encrypted data in cloud computing,” in IEEE INFOCOM. , pp. 441–445, 2010. [5] S. Kamara and K. Lauter, “Cryptographic cloud storage,” in Financial Cryptography Workshops, ser. Lecture Notes in Computer Science, vol. 6054. Springer, pp. 136–149, 2010. [6] H. Li, Y. Dai, L. Tian, and H. Yang, “Identity-based authentication for cloud computing,” in CloudCom, ser. Lecture Notes in Computer Science, vol. 5931. Springer, pp. 157–166, 2009. [7] C. Gentry, “A fully homomorphic encryption scheme,” Ph.D. dissertation, Stanford University, 2009, http://www.crypto.stanford.edu/craig. [8] A.-R. Sadeghi, T. Schneider, and M. Winandy, “Token- based cloud computing,” in TRUST, ser. Lecture Notes in Computer Science, vol. 6101. Springer, pp. 417–429, 2010. [9] R. K. L. Ko, P. Jagadpramana, M. Mowbray, S. Pearson, M. Kirchberg, Q. Liang, and B. S. Lee, “Trustcloud: A framework for accountability and trust in cloud computing,” HP Technical Report HPL-2011-38. Available at http://www.hpl.hp.com/techreports/2011/HPL-2011-38.html. [10] R. Lu, X. Lin, X. Liang, and X. Shen, “Secure Provenance: The Essential of Bread and Butter of Data Forensics in Cloud Computing,” in ACM ASIACCS, pp. 282– 292, 2010. [11] D. F. Ferraiolo and D. R. Kuhn, “Role-based access controls,” in 15th National Computer Security Conference, 1992. [12] A B Lewko and B Waters, “Decentralizing attribute based encryption”, springer 2011.](https://image.slidesharecdn.com/ijsea05021005-160420094105/75/A-Privacy-Preserving-Attribute-Based-Access-Control-Mechanism-In-Distributed-Environment-for-Cloud-Storage-3-2048.jpg)
Uploaded byEditor IJCATR
A Privacy Preserving Attribute Based Access Control Mechanism In Distributed Environment for Cloud Storage
This paper presents a decentralized access control scheme for secure data storage in cloud environments that facilitates anonymous user authentication and prevents unauthorized access through attribute-based controls. The proposed method allows for user revocation and is designed to resist replay attacks, ensuring that only users with valid authentication can access or modify stored data. The architecture, which contrasts with existing centralized approaches, aims to enhance both security and privacy in cloud computing.
A Privacy Preserving Attribute Based Access Control Mechanism In Distributed Environment for Cloud Storage
- 1. International Journal ofScience and Engineering Applications Volume 5 Issue 2, 2016, ISSN-2319-7560 (Online) www.ijsea.com 73 A Privacy Preserving Attribute Based Access Control Mechanism In Distributed Environment for Cloud Storage Sneha Lihite Department of Computer Science and Engineering BIT,Ballarpur,India Bhushan Ugale Department of Computer Science and Engineering BIT,Ballarpur,India Abstract: We propose a new decentralized access control scheme for secure data storage in clouds that supports anonymous authentication. In the proposed scheme, the cloud verifies the authenticity of the series without knowing the user’s identity before storing data. Our scheme also has the added feature of access control in which only valid users are able to decrypt the stored information. The scheme prevents replay attacks and supports creation, modification, and reading data stored in the cloud. We also address user revocation. Moreover, our authentication and access control scheme is decentralized and robust, unlike other access control schemes designed for clouds which are centralized. The communication, computation, and storage overheads are comparable to centralized approaches. Keywords: Access control, authentication, attribute-based signatures, attribute-based encryption, cloud storage. 1. INTRODUCTION Research in cloud computing is receiving a lot of attention from both academic and industrial worlds. In cloud computing, users can outsource their computation and storage to servers (also called clouds) using Internet. Clouds can provide several types of services like applications (e.g., Google Apps, Microsoft online), infrastructures (e.g., Amazon’s EC2, Eucalyptus, Nimbus), and platforms to help developers write applications (e.g., Amazon’s S3, Windows Azure). Much of the data stored in clouds is highly sensitive, for example, medical records and social networks. Security and privacy are thus very important issues in cloud computing. In one hand, the user should authenticate itself before initiating any transaction, and on the other hand, it must be ensured that the cloud or other users do not know the identity of the user. The cloud can hold the user accountable for the data it outsources, and likewise, the cloud itself accountable for the services it provides[1]. The validity of the user who stores the data is also verified. Apart from the technical solutions to ensure security and privacy, there is also a need for law enforcement.Cloud servers are prone to Byzantine failure, where a storage server can fail in arbitrary ways. The cloud is also prone to data modification and server colluding attacks. In server colluding attack, the adversary can compromise storage servers, so that it can modify data files as long as they are internally consistent[2]. To provide secure data storage, the data needs to be encrypted. However, the data is often modified and this dynamic property needs to be taken into account while designing efficient secure storage techniques[7]. Efficient search on encrypted data is also an important concern in clouds. The clouds should not know the query but should be able to return the records that satisfy the query. This is achieved by means of searchable encryption. Access control in clouds is gaining attention because it is important that only authorized users have access to valid service[3]. A huge amount of information is being stored in the cloud, and much of this is sensitive information. Care should be taken to ensure access control of this sensitive information which can often related to health, important documents (as in Google Docs or Dropbox) or even personal information (as in social networking)[2].Access control is also gaining importance in online social networking where users (members) store their personal information, pictures, videos and share them with selected groups of users or communities they belong to. It is not just enough to store the contents securely in the cloud but it might also be necessary to ensure anonymity of the user. For example, a user would like to store some sensitive information but does not want to be recognized. The user might want to post a comment on an article, but does not want his/her identity to be disclosed[3]. However, the user should be able to prove to the other users that he/she is a valid user who stored the information without revealing the identity. Existing work on access control in cloud are centralized in nature. Even if some decentralized approaches were proposed does not support authentication. Earlier work provides privacy preserving authenticated access control in cloud[1]. However, the authors take a centralized approach where single key distribution center (KDC) distributes secret keys and attributes to all users[6]. 1.1 Our Contributions The main contributions of this paper are the following: 1. Distributed access control of data stored in cloud so that only authorized users with valid attributes can access them.
- 2. International Journal ofScience and Engineering Applications Volume 5 Issue 2, 2016, ISSN-2319-7560 (Online) www.ijsea.com 74 2. Authentication of users who store and modify their data on the cloud. 3. The identity of the user is protected from the cloud during authentication. 4. The architecture is decentralized, meaning that there can be several KDCs for key management. 5. The access control and authentication are both collusion resistant, meaning that no two users can collude and access data or authenticate themselves, if they are individually not authorized. 6. Revoked users cannot access data after they have been revoked. 7. The proposed scheme is resilient to replay attacks. A writer whose attributes and keys have been revoked cannot write back stale information. 8. The protocol supports multiple read and write on the data stored in the cloud. 9. The costs are comparable to the existing centralized approaches, and the expensive operations are mostly done by the cloud. 2. EXISTING ARCHITECTURE The pictorial overview of the existing architecture is depicted in Fig. 1.Existing access control architecture in cloud are centralized in nature. Fig. 1 Single KDC architecture The scheme uses a symmetric key approach and does not support authentication. Earlier work provides privacy preserving authenticated access control in cloud. However, the authors take a centralized approach where single key distribution center (KDC) distributes secret keys and attributes to all users. Unfortunately, a single KDC is not only a single point of failure but difficult to maintain because of large number of users that are supported in a cloud environment. We, therefore, emphasize that clouds should take a decentralized approach while distributing secret keys and attribute to users. It is also quite natural for clouds to have may KDCs in different locations in the world[1]. 3. PROPOSED ARCHITECTURE The Single KDC architecture with no anonymous authentication makes it more complicated and it also increases the storage overhead at the single KDC. Fig. 2 Decentralized KDC architecture The pictorial overview of the decentralized KDC is depicted in Fig. 2.The proposed decentralized architecture, also authenticate users, who want to remain anonymous while accessing the cloud[1]. We proposed a distributed access control mechanism in clouds. In the preliminary version of this paper, we extend the previous work with added features which enables to authenticate the validity of the message without revealing the identity of user who has stored information in the cloud. In this paper, we also address user revocation. We use attribute based signature scheme to achieve authenticity and privacy[12]. Our scheme is resistant to replay attacks, in which user can replace fresh data with stale data from previous write, even if it no longer has valid claim policy. This is an important property because a user, revoked of its attributes, might no longer be able to write to the cloud[2]. The proposed architecture consists of the following modules. The decentralized Key Distribution Centre architecture here considers two KDC[4]. The pictorial representation of the overall flow of the proposed architecture is depicted in Fig. 2a. Fig 2a.Overall flow diagram 1. Service Request to TPA: The user registers with the original identity and enrolls with the Third Party Authenticator(TPA).The user sends request to the Third Party Authenticator(TPA) for registration 2. TPA Policy Creation: The TPA along with token provides the rules and regulation to be followed by Creator, Reader and Writer.
- 3. International Journal ofScience and Engineering Applications Volume 5 Issue 2, 2016, ISSN-2319-7560 (Online) www.ijsea.com 75 3. User File Upload: The file creator after getting proper authentication encrypts the file and uploads his files in the cloud. 4. KDC Key Generation: The Key Distribution Centers which are decentralized generate different keys to different types of users after getting tokens from users. 5. Key Revocation: Whenever there is miss behavior detected upon a user his key is revoked and that particular user can neither use or re-enter the cloud environment. 6. Cloud Admin: Cloud admin has the list of Key Distribution Centres (KDCs) and Third Party Authenticator(TPA). The cloud admin sets the norms to be followed by TPA and KDC. It monitors the key generation policies and informs abnormal behaviours. 4. COMPARISON OF OUR SCHEME WITH EXISTING ACCESS CONTROL SCHEMES Fig. 3 Comparison with other access control schemes 5.CONCLUSION AND FUTURE WORK We have presented a decentralized access control technique with anonymous authentication, which provides user revocation and prevents replay attacks. The cloud does not know the identity of the user who stores information, but only verifies the user’s credentials. Key distribution is done in a decentralized way. One limitation is that the cloud knows the access policy for each record stored in the cloud. In next phase, we would like to hide the attributes and access policy of a user. This project can overcome the top threats identified in clouds which are identified recently. The threats that can be overcome are data loss, insecure APIs, Denial of Service, abuse of cloud services, shared technology issues. 6.ACKNOWLEDGMENTS I would like to extend my gratitude to many people who helped me to bring this paper fruition. First I would like to thank Prof. Bhushan Ugale. I am so deeply grateful for his help, professionalism, and valuable guidance throughout this paper. I would also like to thank to my friends and colleague. This accomplishment would not have been possible without them. Thank you. 7.REFERENCES [1] Sushmita Ruj, Milos Stojmenovic, Amiya Nayak, "Decentralized Access Control with Anonymous Authentication for Securing Data in Clouds,"IEEE Transactions on Parallel and Distributed Systems, pp. 1045- 9219, 2013. [2] S. Ruj, M. Stojmenovic and A. Nayak, “Privacy Preserving Access Control with Authentication for Securing Data in Clouds”, IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, pp. 556–563, 2012. [3] C. Wang, Q. Wang, K. Ren, N. Cao and W. Lou, “Toward Secure and Dependable Storage Services in Cloud Computing”, IEEE T. Services Computing, vol. 5, no. 2, pp. 220–232, 2012. [4] J. Li, Q. Wang, C. Wang, N. Cao, K. Ren, and W. Lou, “Fuzzy keyword search over encrypted data in cloud computing,” in IEEE INFOCOM. , pp. 441–445, 2010. [5] S. Kamara and K. Lauter, “Cryptographic cloud storage,” in Financial Cryptography Workshops, ser. Lecture Notes in Computer Science, vol. 6054. Springer, pp. 136–149, 2010. [6] H. Li, Y. Dai, L. Tian, and H. Yang, “Identity-based authentication for cloud computing,” in CloudCom, ser. Lecture Notes in Computer Science, vol. 5931. Springer, pp. 157–166, 2009. [7] C. Gentry, “A fully homomorphic encryption scheme,” Ph.D. dissertation, Stanford University, 2009, http://www.crypto.stanford.edu/craig. [8] A.-R. Sadeghi, T. Schneider, and M. Winandy, “Token- based cloud computing,” in TRUST, ser. Lecture Notes in Computer Science, vol. 6101. Springer, pp. 417–429, 2010. [9] R. K. L. Ko, P. Jagadpramana, M. Mowbray, S. Pearson, M. Kirchberg, Q. Liang, and B. S. Lee, “Trustcloud: A framework for accountability and trust in cloud computing,” HP Technical Report HPL-2011-38. Available at http://www.hpl.hp.com/techreports/2011/HPL-2011-38.html. [10] R. Lu, X. Lin, X. Liang, and X. Shen, “Secure Provenance: The Essential of Bread and Butter of Data Forensics in Cloud Computing,” in ACM ASIACCS, pp. 282– 292, 2010. [11] D. F. Ferraiolo and D. R. Kuhn, “Role-based access controls,” in 15th National Computer Security Conference, 1992. [12] A B Lewko and B Waters, “Decentralizing attribute based encryption”, springer 2011.