View the step-by-step solution to:

An Efcient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Bharath K. Samanthula, Gerry Howser, Yousef Elmehdwi, and...

Review term paper shall have the following structure and be 5000-6000 words.:
Title
Introduction
--------
--------
Discussion of relevant topics
--------
--------
Comparative Analysis
--------
--------
Conclusion
--------
--------
References
3-4 references
Additional Requirements

An Ef cient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Bharath K. Samanthula, Gerry Howser, Yousef Elmehdwi, and Sanjay Madria Department of Computer Science, Missouri S&T 500 West 15th Street, Rolla, Missouri 65409 {bspq8, gwhrkb, ymez76, madrias}@mst.edu ABSTRACT Duetocos t -e f ciency and less hands-on management, data own- ers are outsourcing their data to the cloud which can provide ac- cess to the data as a service. However, by outsourcing their data to the cloud, the data owners lose control over their data as the cloud provider becomes a third party. At rst, encrypting the data by the owner and then exporting it to the cloud seems to be a good ap- proach. However, there is a potential ef ciency problem with the outsourced encrypted data when the data owner revokes some of the users’ access privileges. An existing solution to this problem is based on symmetric key encryption scheme and so it is not secure when a revoked user rejoins the system with different access privi- leges to the same data record. In this paper, we propose an ef cient and Secure Data Sharing (SDS) framework using homomorphic en- cryption and proxy re-encryption schemes that prevents the leakage of unauthorized data when a revoked user rejoins the system. Our framework is secure under the security de nition of Secure Multi- Party Computation (SMC) and also is a generic approach - any ad- ditive homomorphic encryption and proxy re-encryption schemes can be used as the underlying sub-routines. In addition, we also modify our underlying Secure Data Sharing (SDS) framework and present a new solution based on the data distribution technique to prevent the information leakage in the case of collusion between a user and the Cloud Service Provider. Categories and Subject Descriptors K.6.5 [ Management of Computing and Information Systems ]: Security and Protection (D.4.6) General Terms Security, Management Keywords Privacy, Cloud Computing, Homomorphic Encryption, Proxy Re- encryption Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for pro t or commercial advantage and that copies bear this notice and the full citation on the rst page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior speci c permission and/or a fee. Cloud-I ’12, August 31 2012, Istanbul, Turkey Copyright 2012 ACM 978-1-4503-1596-8/12/08. ..$15.00. 1. INTRODUCTION Cloud computing [2] is a means by which highly scalable and technology enabled services can be easily consumed over the In- ternet on an as-needed-basis. This innovative paradigm has gener- ated a signi cant interest in both the marketplace and the academic world, resulting in a number of notable commercial and individual cloud computing services, e.g., from Amazon, Google, Microsoft, Yahoo, and Salesforce. Top database vendors such as Oracle are adding cloud support to their databases. Cloud Computing is clearly one of today’s most enticing tech- nologies, at least in part due to its cost-ef ciency and exibility. However, several security issues in the cloud are impeding the vi- sion of cloud computing as a new IT procurement model. Security concerns preventing companies from taking advantage of the cloud can be categorized into three categories [5]: Traditional security - Involves concerns related to computer and network intrusions. Some of these attacks include VM- level attacks [18], cloud provider vulnerabilities [23], phish- ing cloud provider, authentication and authorization, and foren- sics in the cloud. Cloud providers respond to these concerns by arguing that their security measures and processes are more mature and tested than those of the average company. Availability - Involves concerns centering on critical appli- cations and data availability. Server uptime issues, single points of failure and attack, and the inability of an enterprise to insure that the cloud provider is faithfully running a hosted application and giving the valid results make companies ner- vous. Third-party data control - For the data owner who out- sources data to the cloud, the cloud acts as a semi-trusted third-party. Data placed in the cloud can reside anywhere. Outsourcing data to the Cloud should not lead to de facto outsourcing of data control to the cloud [5]. One of the main security concerns in cloud computing is how the data is being used by a third party Cloud Service Provider (CSP). The legal implications of the data and applications being held by a third party are complex and are not well understood [18]. There is also a potential lack of control and transparency when a third party holds the data. Some of the resulting security concerns include due diligence, auditability, contractual obligations, cloud provider espionage, data lock-in, and the transitive nature of the data control. Trusted computing and applied cryptographic techniques [26] may offer new tools to solve these problems. However, more research needs to be done to alleviate much of today’s fear of data security problems in cloud computing.
Background image of page 1
In general, encryption is a useful tool for protecting the con den- tiality of sensitive data so that even if a database is compromised by an intruder, the data remains protected even after the database has been successfully attacked or stolen. Provided that the encryption is done properly and the decryption keys are not also accessible to the attacker, encryption can provide protection for the sensitive data stored in the database, reduce the legal liability of the data owners, and reduce the cost to society of fraud and identity theft. How- ever, there remain issues with limiting user access to unauthorized elds, ef ciently revoking users’ privileges without re-encrypting massive amounts of data and re-distributing the new keys to the au- thorized users, collusion between users, and issuing changes to a user’s access privileges. In this paper, we investigate ef cient methods for handling user access rights, revoking those rights ef ciently, and issuing either same or different access rights to a returning user. We also ad- dress the issues of security from a “curious” cloud, collusion among users, and collusion between a user and the Cloud Service Provider. 2. PROBLEM STATEMENT In this work, we propose a scheme to achieve ne-grained data sharing and access control over data in the cloud. In contrast to the scheme proposed by Yang [25], which is based on attribute- based encryption and proxy re-encryption, we propose a new Se- cure Data Sharing (SDS) framework using homomorphic encryp- tion and proxy re-encryption as the underlying sub-routines. Figure 1: System Model In our problem setting, see Figure 1, the data owner Alice en- crypts her data locally to ensure privacy. Alice wishes to outsource the data and stores it on the cloud for easy user access. To facil- itate a ne-grained access control, a set of attributes is associated with each data record which helps to control user access to a spe- ci c set of data elds for each authorized user, e.g. Bob. The data owner Alice then issues a decryption key for each authorized user according to his access rights. There are potential issues in the similar ne-grained share/access control proposed by Yang [25]. These issues include re-authorizing a revoked user Bob who later rejoins the system with potentially different access privileges, potential collusion between a revoked user Bob and an authorized user Charles, and collusion between a user and the Cloud Service Provider. We propose a new framework that addresses these issues not addressed earlier altogether in one solution. 3. OUR CONTRIBUTION We present a scheme to achieve ne-grained data sharing/access control over data outsourced to the cloud. Our scheme relies on homomorphic encryption and proxy re-encryption to overcome the issues noted above. The proposed SDS framework has the follow- ing features: Ef cient user revocation - In our scheme, similar to Yang [25], revocation of user privileges does not require either re- encryption of the entire data set or the distribution of new keys to all authorized users. The cloud simply removes the corresponding entry of the revoked user from the authoriza- tion list under the data owner commands. Ef cient and secure re-join of a previously revoked user - If at some future time, the revoked user rejoins the system, whether with the same or different access privileges, all the data owner Alice needs to do is to add a new entry in the authorization list following the same procedure as used to authorize any new user. The revocation of user privileges or the rejoin of previously revoked user does not affect other users because no key re-distribution or data re-encryption is required. Prevention of collusion between a user and the CSP - In our modi ed SDS framework, more details are provided in Sec- tion 6.2, the encrypted data and the authorization token list can be outsourced to separate Cloud Service Providers, thus rendering any collusion between one CSP and a user useless. The likelihood of multiple CSPs colluding with a user is neg- ligible in practice, to say the least. Prevention of collusion between a revoked user and an au- thorized user - Collusion between a revoked user Bob and an authorized user Charles would also be unsuccessful. The authorized user Charles can successfully decrypt only the data the owner, Alice, has authorized. The decryption of all other data elds (i.e., un-authorized elds) will always yield a value of 0. Thus collusion between Bob and Charles would yield only data elds to which Charles currently holds ac- cess. Hence, collusion between Bob and Charles is useless. Generic Approach - The proposed SDS framework is a generic scheme. Any additive homomorphic encryption [15,17] and proxy re-encryption [3,4] methods can be used as underlying sub-routines. 4. RELATED WORK We will present a brief survey of related work which touches upon the cloud security. Background Works on Cloud Computing. Cloud computing is an emerging eld with many research and implementation chal- lenges. While it is tempting to view cloud computing in terms of existing computing models, the cloud presents many unique char- acteristics outlined in [2]. Data security in the cloud is one of them.
Background image of page 2
Show entire document
Comparison-Based Encryption for Fine-grained Access Control in Clouds Yan Zhu 1 , 2 , Hongxin Hu 3 , Gail-Joon Ahn 3 , Mengyang Yu 1 , 2 , Hongjia Zhao 1 , 2 1 Institute of Computer Science and Technology, Peking University, Beijing, 100871, China 2 Beijing Key Laboratory of Internet Security Technology, Peking University, Beijing, 100871, China 3 Laboratory of Security Engineering for Future Computing (SEFCOM), Arizona State University, Tempe, Arizona, 85281, USA {yan.zhu,myyu,zhaohj}@pku.edu.cn; {hxhu,gahn}@asu.edu ABSTRACT Access control is one of the most important security mech- anisms in cloud computing. However, there has been little work that explores various comparison-based constraints for regulating data access in clouds. In this paper, we present an innovative comparison-based encryption scheme to facilitate fine-grained access control in cloud computing. By means of forward/backward derivation functions, we introduce com- parison relation into attribute-based encryption to imple- ment various range constraints on integer attributes, such as temporal and level attributes. Then, we present a new cryptosystem with dual decryption to reduce computational overheads on cloud clients, where the majority of decryption operations are executed in cloud servers. We also prove the security strength of our proposed scheme, and our experi- ment results demonstrate the efficiency of our methodology. Categories and Subject Descriptors D.4.6 [ Operation Systems ]: Security and Protection— Ac- cess controls, Cryptographic controls ;E .3[ Data Encryp- tion ]: Public key cryptosystems General Terms Security, Theory, Verification Keywords Access Control, Cryptography, Integer Comparison, Dual Decryption, Attribute-Based Encryption, Cloud 1. INTRODUCTION The emerging cloud-computing paradigm is rapidly gain- ing momentum as an alternative to traditional information technology due to the reason that it provides an extensible and powerful environment for growing amounts of services and data. One fundamental aspect of this paradigm shifting Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CODASPY’12, February 7–9, 2012, San Antonio, Texas, USA. Copyright 2012 ACM 978-1-4503-1091-8/12/02 . ..$10.00. is that data storage and processing are being outsourced into the cloud. However, cloud computing is also facing many challenges for data security as the users outsource their sen- sitive data to clouds, which are generally beyond the same trusted domain as data owners. To address such a problem, access control is considered as one of critical security mechanisms for data protection in cloud applications. Unfortunately, traditional data access control approaches usually assume that data is stored in a trusted data server for all users. This assumption however no longer holds in cloud computing since the data owners and cloud servers are very likely to be in diFerent domains. Hence, attribute-based encryption (ABE) has been intro- duced into cloud computing to encrypt outsourced sensitive data in terms of access policy on attributes describing the outsourced data, and only authorized users can decrypt and access the data [5, 9, 10, 12, 14, 20]. Since the access control policy of every object is embedded within it, the enforcement of policy becomes an inseparable characteristic of the data itself. This is in direct contrast to most currently access control systems, which rely upon a trusted host to mediate access and maintain policies. Challenges. Although there have been some attempts to construct fine-grained access control systems in clouds, ex- isting work lacks a systematic mechanism to support a com- plete comparison relation, <,>, , , in policy specification. In particular, to realize integer comparisons in ABE, Bethen- court et al. [5] proposed a naive approach, called as BSW’s scheme, by using Bitwise-comparison operators based on AND/OR operators. However, this scheme has following shortcomings: It cannot support dual comparative expressions, where two range-based comparative constraints must be embed- ded into the outsourced files as well as the user’s private key. ±or example, we cannot generate a user’s private key with a range 4 ?±²³ℎ 10, which is particularly useful for representing fine-grained policies. It cannot support efficient cryptographic comparison meth- ods. In Bitwise-comparison, the sizes of user’s key and ci- phertext are very large because the integer must be split into bits, and this causes higher computational costs of both encryption and decryption. All algorithms in existing scheme are run in a stand-alone mode, and the overheads of running those algorithms are big due to the sophisticated bilinear pairing operations, 105
Background image of page 01