Achieving Secure Role-Based Access Control on Encrypted Data in Cloud Storage
01 Dec 2013-IEEE Transactions on Information Forensics and Security (Institute of Electrical and Electronics Engineers (IEEE))-Vol. 8, Iss: 12, pp 1947-1960
TL;DR: This paper proposes a role-based encryption (RBE) scheme that integrates the cryptographic techniques with RBAC, and presents a secure RBE-based hybrid cloud storage architecture that allows an organization to store data securely in a public cloud, while maintaining the sensitive information related to the organization's structure in a private cloud.
Abstract: With the rapid developments occurring in cloud computing and services, there has been a growing trend to use the cloud for large-scale data storage. This has raised the important security issue of how to control and prevent unauthorized access to data stored in the cloud. One well known access control model is the role-based access control (RBAC), which provides flexible controls and management by having two mappings, users to roles and roles to privileges on data objects. In this paper, we propose a role-based encryption (RBE) scheme that integrates the cryptographic techniques with RBAC. Our RBE scheme allows RBAC policies to be enforced for the encrypted data stored in public clouds. Based on the proposed scheme, we present a secure RBE-based hybrid cloud storage architecture that allows an organization to store data securely in a public cloud, while maintaining the sensitive information related to the organization's structure in a private cloud. We describe a practical implementation of the proposed RBE-based architecture and discuss the performance results. We demonstrate that users only need to keep a single key for decryption, and system operations are efficient regardless of the complexity of the role hierarchy and user membership in the system.
Citations
More filters
TL;DR: This paper presents a comprehensive analysis of the data security and privacy threats, protection technologies, and countermeasures inherent in edge computing, and proposes several open research directions of data security in the field of edge computing.
Abstract: With the explosive growth of Internet of Things devices and massive data produced at the edge of the network, the traditional centralized cloud computing model has come to a bottleneck due to the bandwidth limitation and resources constraint. Therefore, edge computing, which enables storing and processing data at the edge of the network, has emerged as a promising technology in recent years. However, the unique features of edge computing, such as content perception, real-time computing, and parallel processing, has also introduced several new challenges in the field of data security and privacy-preserving, which are also the key concerns of the other prevailing computing paradigms, such as cloud computing, mobile cloud computing, and fog computing. Despites its importance, there still lacks a survey on the recent research advance of data security and privacy-preserving in the field of edge computing. In this paper, we present a comprehensive analysis of the data security and privacy threats, protection technologies, and countermeasures inherent in edge computing. Specifically, we first make an overview of edge computing, including forming factors, definition, architecture, and several essential applications. Next, a detailed analysis of data security and privacy requirements, challenges, and mechanisms in edge computing are presented. Then, the cryptography-based technologies for solving data security and privacy issues are summarized. The state-of-the-art data security and privacy solutions in edge-related paradigms are also surveyed. Finally, we propose several open research directions of data security in the field of edge computing.
298 citations
Cites methods from "Achieving Secure Role-Based Access ..."
...Several cryptographybased solutions, such as attribute-based encryption [60] and role-based encryption [61] methods, can be used to achieve flexible and fine-grained access control....
[...]
...[61] firstly proposed a Role-Based Encryption (RBE) scheme with efficient user revocation that combines the cryptographic techniques with RBAC policies, which allow executing the RBAC policies in the encrypted data....
[...]
01 Dec 2015
TL;DR: This paper presents how to encrypt a linear controller using modified homomorphic encryption schemes based on public-key RSA and ElGamal encryption systems and confirms that only the scrambled parameters and signals can be seen in the controller device of the security-enhanced networked control system.
Abstract: This paper proposes a new concept of controller encryption for enhancement of the cyber-security of networked control systems and presents how to encrypt a linear controller using our modified homomorphic encryption schemes based on public-key RSA and ElGamal encryption systems. A remarkable advantage of the controller encryption is to be able to conceal several informations processed inside the controller device, such as controller parameters, references (recipes), measurements, control commands, and parameters of plant models in the internal model principal, maintaining an original function of the controller. Therefore, even if malicious users hacked the controller device by unauthorized accesses, it would take much time and cost to decipher and steal the control system's information. Finally, numerical examples confirm that only the scrambled parameters and signals can be seen in the controller device of the security-enhanced networked control system.
203 citations
Cites background from "Achieving Secure Role-Based Access ..."
...Cryptography is an important technology enabling to protect information against the third parity such as the malicious users and adversaries, and recently a public-key cryptography is in widespread use to cloud systems [7], [8]....
[...]
Patent•
PARC1
TL;DR: In this article, a hierarchical structured variable-length identifier (HSVLI) is used to indicate a piece of content and indicate a hierarchical structure of contiguous components ordered from a most general level to a most specific level.
Abstract: One embodiment provides a system that forwards a packet with a hierarchically structured variable-length identifier (HSVLI) in a network. An HSVLI indicates a piece of content and indicates a hierarchical structure of contiguous components ordered from a most general level to a most specific level. The length of the HSVLI is not fixed. During operation, the system receives a packet which contains an interest for a piece of content with an HSVLI. Subsequently, the system determines forwarding information for the HSVLI based on one or more of: knowledge of content which matches the HSVLI, a forwarding policy, and contextual information about the network. Next, the system configures a forwarding engine with the forwarding information. The system then forwards the packet based on the forwarding information.
181 citations
TL;DR: A blockchain-based security architecture for distributed cloud storage, where users can divide their own files into encrypted data chunks, and upload those data chunks randomly into the P2P network nodes that provide free storage capacity is proposed.
155 citations
Patent•
PARC1
TL;DR: In this paper, a name-based content-forwarding system generates an ordered-element name for a content item, and can process an interest to identify and perform an action that satisfies the interest.
Abstract: A name-based content-forwarding system generates an ordered-element name for a content item, and can process an interest to identify and perform an action that satisfies the interest. To generate the ordered-element name, the system generates one or more fixed-length elements for a content item, such that each fixed-length element of the ordered-element name is mapped to the content item or to a context associated with the content item. The system then generates the ordered-element name to include the one or more fixed-length elements so that the name elements are ordered from a highest matching priority to a lowest matching priority. The system can also generate a packet that includes the ordered-element name for the content item, and sends the packet to a target location that corresponds to the ordered-element name.
142 citations
References
More filters
TL;DR: The clouds are clearing the clouds away from the true potential and obstacles posed by this computing capability.
Abstract: Clearing the clouds away from the true potential and obstacles posed by this computing capability.
9,282 citations
"Achieving Secure Role-Based Access ..." refers background in this paper
...Digital Object Identifier 10.1109/TIFS.2013.2286456 their data, and security is often cited as the top obstacle for cloud adoption....
[...]
23 Aug 1985
TL;DR: In this article, the authors introduce a novel type of cryptographic scheme, which enables any pair of users to communicate securely and to verify each other's signatures without exchanging private or public keys, without keeping key directories, and without using the services of a third party.
Abstract: In this paper we introduce a novel type of cryptographic scheme, which enables any pair of users to communicate securely and to verify each other’s signatures without exchanging private or public keys, without keeping key directories, and without using the services of a third party. The scheme assumes the existence of trusted key generation centers, whose sole purpose is to give each user a personalized smart card when he first joins the network. The information embedded in this card enables the user to sign and encrypt the messages he sends and to decrypt and verify the messages he receives in a totally independent way, regardless of the identity of the other party. Previously issued cards do not have to be updated when new users join the network, and the various centers do not have to coordinate their activities or even to keep a user list. The centers can be closed after all the cards are issued, and the network can continue to function in a completely decentralized way for an indefinite period.
6,902 citations
Book•
01 Jan 1986TL;DR: It is shown here how Elliptic Curves over Finite Fields, Local Fields, and Global Fields affect the geometry of the elliptic curves.
Abstract: Algebraic Varieties.- Algebraic Curves.- The Geometry of Elliptic Curves.- The Formal Group of Elliptic Curves.- Elliptic Curves over Finite Fields.- Elliptic Curves over C.- Elliptic Curves over Local Fields.- Elliptic Curves over Global Fields.- Integral Points on Elliptic Curves.-Computing the Mordell Weil Group.- Appendix A: Elliptic Curves in Characteristics.-Appendix B: Group Cohomology (H0 and H1).
4,680 citations
30 Oct 2006
TL;DR: This work develops a new cryptosystem for fine-grained sharing of encrypted data that is compatible with Hierarchical Identity-Based Encryption (HIBE), and demonstrates the applicability of the construction to sharing of audit-log information and broadcast encryption.
Abstract: As more sensitive data is shared and stored by third-party sites on the Internet, there will be a need to encrypt data stored at these sites. One drawback of encrypting data, is that it can be selectively shared only at a coarse-grained level (i.e., giving another party your private key). We develop a new cryptosystem for fine-grained sharing of encrypted data that we call Key-Policy Attribute-Based Encryption (KP-ABE). In our cryptosystem, ciphertexts are labeled with sets of attributes and private keys are associated with access structures that control which ciphertexts a user is able to decrypt. We demonstrate the applicability of our construction to sharing of audit-log information and broadcast encryption. Our construction supports delegation of private keys which subsumesHierarchical Identity-Based Encryption (HIBE).
4,257 citations
22 May 2005
TL;DR: In this article, a new type of identity-based encryption called Fuzzy Identity-Based Encryption (IBE) was introduced, where an identity is viewed as set of descriptive attributes, and a private key for an identity can decrypt a ciphertext encrypted with an identity if and only if the identities are close to each other as measured by the set overlap distance metric.
Abstract: We introduce a new type of Identity-Based Encryption (IBE) scheme that we call Fuzzy Identity-Based Encryption. In Fuzzy IBE we view an identity as set of descriptive attributes. A Fuzzy IBE scheme allows for a private key for an identity, ω, to decrypt a ciphertext encrypted with an identity, ω ′, if and only if the identities ω and ω ′ are close to each other as measured by the “set overlap” distance metric. A Fuzzy IBE scheme can be applied to enable encryption using biometric inputs as identities; the error-tolerance property of a Fuzzy IBE scheme is precisely what allows for the use of biometric identities, which inherently will have some noise each time they are sampled. Additionally, we show that Fuzzy-IBE can be used for a type of application that we term “attribute-based encryption”.
In this paper we present two constructions of Fuzzy IBE schemes. Our constructions can be viewed as an Identity-Based Encryption of a message under several attributes that compose a (fuzzy) identity. Our IBE schemes are both error-tolerant and secure against collusion attacks. Additionally, our basic construction does not use random oracles. We prove the security of our schemes under the Selective-ID security model.
3,610 citations