Embed Size (px)
Citation preview
An Enhanced Cipher Text Policy Attribute based
Encryption for Outsourcing Data over Cloud
A Thesis submitted in partial fulfilment of the requirements for the degree of
Masters of Science in Software Engineering
By
Hadeel Alseghayyir
Under the Supervision of
Dr. Thavavel Vaiyapuri
College of Computer and Information Sciences
Prince Sultan University
Saudi Arabia
January, 2016
2 | P a g e
An Enhanced Cipher Text Policy Attribute based
Encryption for Outsourcing Data over Cloud
By
Hadeel Alseghayyir
This thesis was defended and approved on _____________________________
Supervisor: Dr. Thavavel Vaiyapuri
Member of the Exam Committee
Dr. Thavavel Vaiyapuri Chair
Member
Member
3 | P a g e
ACKNOWLEDGMENT
I would like to express my sincere appreciation to my supervisor, Dr. Thavavel Murugesan
and department supervisor Prof. Ajantha Dahanayake for their support, guidance and
suggestions over writing this thesis. Furthermore, I would like to thank my parents for their
endless support, love and prayers. Special thanks are given to my friend Jawaher for her
encouragement and support throughout my study. Finally, special thanks for my committee
Dr. Mohammad Zarour and Dr. Nor Shahriza members for their guidness to improve this
thesis.
4 | P a g e
ABSTRACT
Cloud computing allows data users to outsource/share their data while enjoying affordable
price and high scalability. Despite numerous advantages, data outsourcing hinders data
owners managing outsourced data: how to preserve the privacy of outsourced data and
enforce access control policies on accessing it. Fortunately, attribute-based encryption (ABE)
can be the right cryptographic tool solving these concerns: Data owners can specify access
control policy on outsourced data while encrypting it, and users can decrypt ciphertexts only
if their attributes satisfy the access control policy. However, pure ABE is not sufficient for
data sharing applications since users’ access rights are not static: a user’s access right might
be revoked if he/she leaves the organization. Ciphertext policy attribute-based encryption
(CP-ABE) is becoming a promising cryptographic solution to this issue. But, the problem of
applying CP-ABE in an outsourced architecture introduces two major drawbacks, key escrow
problem and challenges with regard to the user revocation. Therefore, this thesis attempts to
answer the primary research question “How to devise an efficient cryptographic scheme to
preserve privacy and ensure confidentiality and access control while outsourcing data to
cloud?”. In this regard, the thesis proposes an enhanced CP-ABE scheme to securely
outsource and manage data over cloud. The proposed scheme features the following
achievements: 1) the key escrow problem could be solved by escrow-free key issuing
protocol, which is constructed using the secure two-party computation between the key
generation center (KPC), Local Auhtority (LA) and data-storing center (DSC), and 2) fine-
grained user revocation at attribute level is achieved by rekeying and proxy re-encryption.
The applicability and feasibility of the proposed scheme is evaluated on real world case by
exploring how academic institutions may take advantage of clouds not only in terms of cost
but also in terms of efficiency, reliability, and security. Finally, performance and security
analyses study indicates that the proposed scheme is efficient to securely manage the data
distributed in the cloud environment. The major contributions and future research directions
are also summarized.
Keywords: Data Outsourcing, Cloud Computing, Privacy and Security, Attribute-based
Encryption, Key Escrow, Key Revocation, Outsourcing Academic Data
5 | P a g e
ملخص البحث
ساعار الحوسبة السحابية تتيح لمستخدمي البيانات االستعانة بمصادر خارجية ومشاركة البياناات الخاصاة ب اع مات التمتات ب
في متناول الجميت وقابلية عالية. على الرغع من وجود العديد من المزايا إال أن االستعانة بمصادر خارجية يعوق أصحاب
البيانات من إدارة بيانات المصادر الخارجية: كيف يمكان الحاااع علاى خصوصاية البياناات مان المصاادر خارجياة وتنايا
يمكان أن يكاون أداة التشااير (ABE)لحاع إن التشااير بواسااة الخصاا سياساات الاتحكع فاي الوصاول إلي اا. لحسان ا
المناسبة لحل ه ه المخاوف: يمكن ألصحاب البيانات تحديد سياسة التحكع في الوصول إلاى بياناات المصاادر خارجياة فاي
الوصاول. حين تشايرها، ويمكن للمستخدمين فك تشااير النصاو ف اا عنادما تتوافائ خصا صا ا مات سياساة الاتحكع فاي
ال تنابئ على تابي ات مشاركة البيانات ألن ح وق وصاول المساتخدمين ليسات تابتاة: قاد يل اى ABEومت لك فإن ت نية
قاد CP)- (ABEوصول )دخول( المستخدع إ ا ترك/ت المنعمة. سياسة تشاير النصو في التشاير بواساة الخصا
ئ ها ه السياساة علاى بنياة مان المصاادر الخارجياة ي ادع اتناان مان أهاع أصبحت حالً واعداً ل ه المس لة ولكن مشكلة تابيا
الع بات وهي مشاكل الضمان الر يسي باالضافة إلى بعض التحديات فيما يتعلئ بإل اء المستخدع. لا لك ي تاره ها ا البحا
خاا الم تره يميّاز محسنة لالستعانة بمصادر خارجية للبيانات عن اريئ است الل لبنية النعاع. ه ا الم ABE -CPخاة
( يمكن أن تحل مشكلة الضمان الر يسي عن اريئ اصدار بروتوكول خاالي مان الضامان والا م ياتع 1اإلنجازات التالية:
( ويمكان أن ياتع حال مشاكلة إل ااء 2بناؤه باستخداع الحسااب اممان باين مركاز التولياد الر يساي ومركاز تخازين البياناات.
ووضت وقت النت اء صالحية المستخدع. يتع ت يايع إمكانياة تابيائ وجادوه ها ه الخااة المستخدع عن اريئ تشاير الوكيل
الم ترحة على أرض الواقت من خالل استكشاف كياف يمكان للمؤسساات األكاديمياة االساتاادة مان الحوسابة الساحابية لاي
نة واألمن. أخيراً دراسات تحليال األداء ف ا من ناحية التكلاة ولكن أيضا من حي الكااءة والجدارة وال ابلية للتن ل والمرو
واألمان تشير إلاى أن ها ا المخااا الم تاره فعاال إلدارة البياناات الموزعاة فاي البي اة الساحابية بشاكل خمان. كماا يلخا
.مساهمات كبيرة واتجاهات البحو المست بلية
6 | P a g e
List of Abbreviations
2PC protocol Two-phase commit protocol
AA Academic Authority
ABE Attribute-based encryption
AES Advanced File Encryption
AS Access structure
AWAP Write access structure
API Application Program Interface
CC Cloud Computing
CP-ABE Cipher-text policy attribute-based encryption
CP-ABSC Ciphertext-Policy Attribute-Based Signcryption
CP-ABPRE Cipher-text policy attribute-based Proxy Re-Encryption
CT Cipher-text
DSC Data-storing centre
drvuKPABE Directly revocable key-policy Attribute-Based Encryption
E Encrypted file
FIFO First in First Out
HIBE Hierarchical Identity-based encryption
IAAS Infrastructure as a Service
IBE Identity-based encryption
KGC Key generation centre
KP-ABE Key-policy attribute-based encryption
Ku Decryption key
LU Users list
MK Master key
PAAS Platform as a Service
PASS Random password
PK Public parameters
PKI Public key infrastructure
PrivAP Private academic professional
PrivS Private key
PubAP Public academic professional
7 | P a g e
PP Public Parameter
PHR Patient Health Records
RSA Rivest, Shamir, and Adleman
RSK Random secret key
SAAS
TA
Software as a Service
Trusted Authority
SK Secret key
UI Update information
8 | P a g e
Table of Contents
DECLARATION ..................................................................................................................... 12
Chapter 1: Introduction ............................................................................................................ 13
1.1 Purpose of Research .................................................................................................. 15
1.2 Problem Description .................................................................................................. 15
1.3 Research Question ..................................................................................................... 17
1.4 Research methodology ............................................................................................... 18
1.5 Research Method Overview ...................................................................................... 18
1.6 Research Process ....................................................................................................... 19
1.6.1 Defining Problem ........................................................................................ 19
1.6.2 Research Background .................................................................................. 20
1.6.3 Specify requirements ................................................................................... 21
1.6.4 Prototype solution ........................................................................................ 21
1.6.5 Test solution ................................................................................................ 21
1.6.6 Result analysis ............................................................................................. 22
1.6.7 Communicate results ................................................................................... 22
1.7 Research Contribution ............................................................................................... 22
1.8 Research Delimitation ............................................................................................... 24
1.8.1 Data limitations ........................................................................................... 24
1.8.2 Legal limitations .......................................................................................... 24
1.8.3 Cryptographic limitations ............................................................................ 24
1.9 Research Thesis Layout ............................................................................................. 24
1.10 Ethical Issues ......................................................................................................... 26
Chapter 2: Literature Review ................................................................................................... 27
2.1 Introduction ................................................................................................................ 28
2.2 International Standards and ISO ................................................................................ 28
2.3 Legal nature and effect of international standards ..................................................... 30
9 | P a g e
2.4 Cloud Computing Data Protection Risks ................................................................... 31
2.5 Need for New Standard ISO/IEC 27017 ................................................................... 34
2.6 Previous ISO privacy-related standards ..................................................................... 34
2.7 Key Elements of ISO/IEC 27017 .............................................................................. 35
2.8 Data Outsourcing Architecture .................................................................................. 39
2.9 Security Requirements ............................................................................................... 40
2.10 Cryptography Algorithms ...................................................................................... 41
2.10.1 Key-Policy Attribute Based Encryption ...................................................... 42
2.10.2 Cipher Text-Policy Attribute-Based Encryption ......................................... 44
2.11 Challenges Faced In CP-ABE ............................................................................... 46
2.12 Related Work on Attribute-Based Encryption ....................................................... 46
2.13 Related Works with Key Escrow ........................................................................... 50
2.14 Related Works with Revocation ............................................................................ 51
2.14.1 Attribute Revocation ................................................................................... 52
2.14.2 User Revocation .......................................................................................... 53
Chapter 3: An Improved CP-ABE Scheme for Data outsourcing over cloud ......................... 55
3.1 Introduction ................................................................................................................ 56
3.2 Models and Assumptions ........................................................................................... 56
3.2.1 Security Model ............................................................................................ 56
3.2.2 Assumptions ................................................................................................ 57
3.3 Proposed CP-ABE Scheme Construction .................................................................. 57
3.4 Escrow-Free Key Issuing Protocol ............................................................................ 59
3.5 User Revocation ......................................................................................................... 61
3.6 Implementation API for Proposed CP-ABE Scheme ................................................ 63
3.7 Conclusion ................................................................................................................. 64
Chapter 4: Applicability Analysis - A Case Study on Academic Environment (University) .. 66
4.1 Introduction ................................................................................................................ 67
10 | P a g e
4.2 Need and requirements for privacy in Academic cloud ............................................ 67
4.3 Challenges in adopting the proposed scheme for Academic Environment ............... 70
4.4 Proposed Architecture ............................................................................................... 70
4.5 Security implementation ............................................................................................ 71
4.5.1 System initialization .................................................................................... 71
4.5.2 Adding New Users ...................................................................................... 71
4.5.3 Student academic data management: ........................................................... 73
4.5.4 Student Education data management: ......................................................... 74
4.6 Discussion and Conclusion ........................................................................................ 75
Chapter 5: Security and Performance Analysis ....................................................................... 77
5.1 Security analysis ........................................................................................................ 78
5.2 Comparative Analysis with Related Works ............................................................... 80
5.3 Performance analysis ................................................................................................. 81
5.3.1 Encryption operations analysis .................................................................... 81
5.3.2 Simulation Analysis ..................................................................................... 83
Chapter 6: Conclusion and Future Directions .......................................................................... 86
6.1 Summary .................................................................................................................... 87
6.2 Future Research Directions ........................................................................................ 88
References ................................................................................................................................ 89
Appendix A. Source Code ....................................................................................................... 94
11 | P a g e
List of Figures
Figure 1.1 Cloud uses is growing during the years [67] ....................................................................... 14
Figure 1.2 Research Process adopted for the current work ................................................................... 20
Figure 2.1 ISO/IEC 27017 Framework ................................................................................................. 36
Figure 2.2 Architecture of a data outsourcing system........................................................................... 39
Figure 2.3 ABE Tree access structure ................................................................................................... 41
Figure 2.4 KP-ABE scheme .................................................................................................................. 44
Figure 2.5 CP-ABE scheme .................................................................................................................. 45
Figure 3.1 Two party computation protocol among KGC, LA and DSC ............................................. 61
Figure 3.2 Layered view of components for building secure Applications using CP-ABE ................. 63
Figure 3.3 Proposed set of classes for CP-ABE .................................................................................... 64
Figure 4.1 Existing System for keeping student academic records. ..................................................... 68
Figure 4.2 Proposed architecture for outsourcing academic data over cloud ....................................... 71
Figure 4.3 Example of student supervision ........................................................................................... 74
Figure 5.1 Encryption Evaluation ......................................................................................................... 82
Figure 5.2 Decryption Evaluation ......................................................................................................... 83
Figure 5.3 Model for Simulation Analysis ............................................................................................ 84
Figure 5.4 Performance Analysis without Access policy change request............................................. 84
Figure 5.5 Performance Analysis with Access policy change request .................................................. 85
List of Tables
Table 1-1 Cloud computing and cost effective ..................................................................................... 15
Table 2-1 Different types of certifications for the data security by cloud providers. ........................... 28
Table 3-1 Encrypting a digital document using proposed CP-ABE Library ........................................ 64
Table 5-1 Comparison of Proposed Protocol (with the Use of a Group Key) to Related Work ........... 80
12 | P a g e
DECLARATION
I hereby declare that I am the sole author of this thesis. I authorize Prince Sultan University to
lend this thesis to other institutions or individuals for the purpose of scholarly research.
13 | P a g e
1 Chapter 1: Introduction
14 | P a g e
Cloud computing relies on sharing computing resources rather than having local servers to
handle applications for a particular organization or individuals. Since there is no
infrastructure investment needs, expand or shrink resources based on demand, payment based
on usage makes it popular among various technologies (Fig 1.1). Many enterprises look for
these benefits to be utilized to maximum extend. Cloud service makes it possible to access
information from anywhere at any time [1,2]. Cloud computing uses networks of large groups
of servers typically low-rate consumer PC technology, spread data processing with
specialized connections. The virtualization techniques maximize the power of cloud
computing. Using this concept, cloud computing has the flexibility to manage multiple
resources. The cloud computing allocates resources on demand. Cloud computing also allows
immediate scaling. Cloud computing is a comprehensive solution that delivers IT as a
service. It is an internet based solution for computing resources.
Figure 1.1 Cloud uses is growing during the years [67]
Data stored in cloud storage is considered as data outsourcing. This data is managed by cloud
service providers which is an external party. Cloud services provide a cost effective
management of resources, more and more enterprises utilizes this benefit(see Table 1-1).
Since cloud storage is managed by external parties, they cannot be trusted fully [3]. Here
security and privacy becomes a major concern. The cloud security involves restricting access
to authorized users, maintaining the integrity of data and ensuring the availability of data and
15 | P a g e
services. Mainly the security includes confidentiality, integrity and availability [4]. By
moving storage, applications, other IT infrastructure and services to the cloud, results in
increased reliability and flexibility, with low costs but the information security is a major
problem. For the security of outsourced data generally the data is stored in encrypted form so
that only authorized users can access data.
Table 1-1 Cloud computing and cost effective
Physical Infrastructure Cloud Infrastructure
Capital Investment $40,000 $0
Setup Costs $10,000 $1,000
Monthly Services $0 $2,400
Monthly Labor $3,200 $1,000
Cost over Three Years $149,000 $106,000
Savings gained 0% 29%
Purpose of Research 1.1
The purpose of this thesis is to find the benefits and drawbacks of moving personal data to
the cloud, and in what extend these drawbacks can be mitigated by the use of encryption
techniques. We will set out a realistic scenario in academic environment to investigate a set
of problems and limitations that occur when moving their data to the cloud. For example,
when the university transfer their student data to a cloud.
Problem Description 1.2
Cloud computing is a technology that allows software and hardware for computation and
storage to be shared on the internet. In recent years, there has been an increase in the usage of
cloud computing by governments and companies. According to the research and advisory
company Gartner, there is a worldwide increase of cloud Infrastructure-as-a-Service of 32.8
percent in 2015 compared to the year before, resulting in a US$16.5 billion market. This
increase in the use of cloud services can be explained by several benefits it provides, namely
high mobility and flexible scalability, which can lead to better cost control. However, the
increasing shift to cloud-based solutions also raises concerns over the deliberate or accidental
disclosure of private data by cloud service provider. These concerns are addressed by policies
16 | P a g e
and legislations, but alone these seem insufficient. The laws in jurisdictions where private
data gets collected may not continue to apply to that data post-transfer. Major U.S. Cloud
providers Microsoft and Google have admitted they handed over private data of Europeans to
U.S. authorities as they were forced by U.S. laws overruling previously made agreements in
the EU, and could be forced to do so again.
Although cloud computing is much more powerful than personal computing, it brings new
privacy and security challenges, as users relinquish control by outsourcing their data they no
longer having physical possession of it. Consequently, the data owners demand high levels of
security when they outsource their data to a cloud; although they usually encrypt their data
when storing it in a cloud server, they still want control over it, for example, if they
frequently update it [11-13].
To realize an effective privacy-preserving data sharing service in cloud computing, the
following challenges need to be met: firstly, the cloud needs to be able to support dynamic
requests so that data owners can add or revoke access privileges to other users allowing them
to create or delete their data; secondly, the users’ privacy must be protected against the cloud
so that they can conceal their private information while accessing the cloud; finally, users
should be able to access shared data in the cloud through connected technologies with low
computing ability, such as smartphones and tablets [57, 58].
In recent years, new methods have been developed to complement trust in contractual
agreements by encryption models enforcing data confidentially. Direct employment of
traditional cryptographic primitives cannot achieve the data security required. Thus, a
considerable amount of work has been directed towards ensuring the privacy and security of
remotely stored shared data using a variety of systems and security models [14, 15]. These
have mainly focused on preserving users’ privacy while realizing desired security goals,
without introducing excessively high levels of complexity to the users at the decryption stage.
To solve these issues, researchers have either utilized key-policy attribute-based encryption
(KP-ABE) for secure access control [16] or employed hierarchical identity-based encryption
17 | P a g e
(HIBE) for data security [17]. However, by revealing some of the users’ attributes to cloud,
these systems were unable to fully preserve users’ privacy.
Cipher-text policy attribute-based encryption (CP-ABE) was employed to preserve privacy
and guarantee data confidentiality against the cloud. In CP-ABE, each user is associated with
a set of attributes and the data are encrypted with access structures based on attributes [18]. A
user is able to decrypt a ciphertext if and only if his/her attributes satisfy the cipher text
access structure. However, there are two issues still exist when applying CP-ABE to Cloud
data sharing applications directly: Firstly, the outsourced owners lack some effective methods
to handle key escrow problem where the so called honest but-curious cloud servers attempt to
access the outsourced data and may cause privacy leakage. Secondly, the user revocation is
extremely hard to implement efficiently [18].
Research Question 1.3
To our knowledge, the existing cryptographic schemes either have privacy flaws or provide
security at the expense of performance [16-22]; therefore, the challenge of achieving the dual
goals of privacy-preserving with effective cloud data sharing remains unresolved. This lead
to the necessity to find a scheme that will ensure data owners privacy and confidentiality over
the outsourced data. Thus, the research questions could be placed as,
“How to devise an efficient cryptographic scheme to preserve privacy and ensure
confidentiality and access control while outsourcing data to cloud?”
We will answer our research question at the hand of the following two sub-questions.
Can encryption methods be used to allow data processing in the cloud from a legal
perspective?
Is it feasible for the academic environment to use encryption to process student data in
the cloud?
18 | P a g e
Research methodology 1.4
For any research to be carried out, the type of methodology used in performing a particular
task using various techniques and methods is to be known in order to attain the research goal.
There are many research methods, the Quantitative and Qualitative types are the major and
most commonly used classifications.
Qualitative method is a type of research methodology which acts as the means of collecting
the data for a particular research problem. The qualitative method more deals with describing
the meaning of a particular research task in more depth. It could be done either by interviews,
in-depth observations and case studies. Thus, the qualitative method helps the researcher to
collect the information in huge about the subject of the research topic.
In this research, the methodology used is Qualitative method. It is because the scheme
descriptions modern cryptographic techniques and various security model for outsourcing
data over cloud securely are gathered by carrying out the literature review. The security
requirements for data outsourcing and the applicability of CP-ABE scheme to confront this
requirement are studied well and the analysis is completed to determine the feasibility and
performance in comparison to other state-of-art cryptographic schemes.
Research Method Overview 1.5
To investigate the extent to which current encryption methods or tools can be applied to
enforce data privacy of personal data stored in the cloud, we will use the following approach.
Step 1. Literature study towards the background of cloud computing and
processing of personal data.
In the first part of our literature study, we set out the current possibilities of cloud
computing and that type of requirements have to be satisfied when choosing to move
personal data to the cloud from a legal perspective.
19 | P a g e
Step 2. Literature study of methods and models to enforce data security in the
cloud.
In the second part of our literature study, we set out several encryption methods and
models that can provide several data confidentiality guarantees.
Step 3. Defining security requirements for a specific cloud computing scenario.
In this part of our thesis, we set out the security requirements for outsourcing data
over cloud based on the international standards. In our analysis, these requirements
will serve as a baseline to consider an encryption model suited to process personal
data.
Step 4. Analyses of the extent to which an encryption model can be applied in
the cloud to enforce the confidentiality of personal data.
In this analysis, we set out how well encryption models can be deployed to satisfy the
previously stated legal, security requirements. The aim of this analysis is to provide an
answer to our main research question.
Research Process 1.6
Defining Problem 1.6.1
A secure and efficient medium is necessary while both the sender and the owner of the data
are transferring data between them. The security is entirely dependent on the attributes of
how the users are to share the data1. The enforcement of data access policies and upholding
onto the policies is a major challenge to ensuring that there is effective security in the
confidential data sharing systems. The only promising way to solve this problem is through
cipher text policy characteristic based encryption. It empowers information proprietors to
characterize their own particular access approaches over their client characteristics and
implement the strategies on the information to be dispersed. Be that as it may, the upside of
the framework accompanies a noteworthy disadvantage which is known as a key escrow
issue. The key generation centre could unscramble any sort of messages tended to particular
20 | P a g e
clients by producing their private keys. This is not suitable for information sharing ordinary
situations where the information proprietor might want to make their private information just
open to assigned clients. Furthermore, applying CPABE in the information sharing
framework acquaints another test as to the client repudiation since the entrance arrangements
are characterized just over the property universe.
Figure 1.2 Research Process adopted for the current work
Research Background 1.6.2
The cloud is controlled by cloud administration suppliers (CSP) and gives web
administrations. This element is not completely trusted by cloud clients in light of the fact
that as a rule CSP is not a gathering part or out of the clients' trusted space. The group
director is responsible for the framework and controls system parameters, client enlistment,
client renouncement and uncovering the personality of information proprietor. The gathering
supervisor is completely trusted element. To have the capacity to accomplish a protected
information sharing for the dynamic gatherings in the cloud, Mona consolidates the gathering
signature and element show encryption systems. The gathering mark empowers clients to
namelessly utilize the cloud assets and element show encryption permits information
21 | P a g e
proprietors to share their information in a safe way. The gathering supervisor is in charge of
framework introduction. To enlist a client the gathering chief haphazardly chooses a number
and registers the client as indicated by a known mathematical statement. For the client
renouncement the gathering supervisor has an open disavowal list that depends on which
bunch individuals can scramble their information documents and guarantee the classification
against the repudiated clients.
Specify requirements 1.6.3
The ABE based plan sustains monotonic access equations that contain AND, OR, or edge
entryways. The progressive character based design in distributed computing to epitomize the
utilization chain of importance in the protected distributed storage administrations sharing.
The root private key generator (PKG) delegates the upper level client as the lower level PKG
and the utilization of this is creating the mystery keys for all low level clients. The mystery
key transmission is done in a space for the clients to ensure secure transmission. A
component, outer to the essential method for encryption and unscrambling, by which a third
gathering can get incognito access to the plaintext of scrambled information. The presence of
a very delicate mystery key (or gathering of keys) that should be secured for an amplified
timeframe.
Prototype solution 1.6.4
In order to solve the key escrow problem, a proposed Escrow Free Key Issuing Protocol for
CPABE is to be developed to curb the issue. Effective use of the tool would require a data
sharing system architecture incorporated during the process. By performing a safe two party
calculation (2PC) protocol among the key generator centre and the data source centre with
their own expert insider facts key issuing convention creates and issues client mystery keys.
Test solution 1.6.5
The 2PC convention keeps them from gaining any expert mystery data of one another such
that none of them could produce the entire arrangement of client keys all alone.
22 | P a g e
Result analysis 1.6.6
Through the proposed a proposed Escrow Free Key Issuing Protocol for CPABE, the
information secrecy and security can be cryptographically forced contrary to any inquisitive
KGC or information putting away focus (DSC).
Communicate results 1.6.7
The key escrow issue could be illuminated by without escrow key issuing convention, which
is developed utilizing the safe two party calculations between the key era focus and the
information putting away focus. Fine grained client renouncement per every characteristic
should be possible as a substitute encryption which exploits the particular quality gathering
key conveyance on top of the ABE. The execution and security examinations show that the
proposed plan is effective to safely deal with the information conveyed in the information
sharing framework.
Research Contribution 1.7
This research work makes the several major contributions as follows:
1. A scheme for outsourcing data to cloud in secure fashion is proposed. Here the cloud
service provider is unable to read the outsourced data; only authorized users with
possession of the right attributes can access without arbitration by the data owner.
2. A general framework for escrow-free key issuing protocol is defined on the basis of a
(but not limited to) Hur et al’s CP-ABE [38]. But the assumption that the Key
Generation Centre (KGC) does not collude with the Data Storage Centre (DSC)
(otherwise, they can guess the secret keys of every user by sharing their master
secrets) in [38] is overcome in the proposed scheme.
3. Immediate user Revocation is realized at attribute level using access policy
modification and proxy re-encryption. This enables to enhance backward/forward
secrecy of outsourced data and alleviates the limitation on how many users can be
revoked. Further it enables the data owner not be concerned about any access policy
for users but just need to define only the access control policy for attributes as in the
existing ABE schemes.
4. Simulations study shows the scalability of the scheme in terms of computational
workloads.
23 | P a g e
5. ABE is promising in giving cryptographic based fine-grained information access
control for untrusted stockpiling. Before ABE can be safely connected in reasonable
frameworks, there are a few essential security issues to be tended to. This research
work addresses these issues and proposes a few basic security improvements to ABE.
6. Client renouncement is a test issue in ABE as properties are shared among boundless
number of clients. Repudiation of one client might include key overhaul for other
non-disavowed clients and/or re-encryption of information documents on the
information servers. To encourage client repudiation on untrusted storage, this
exposition proposes a novel plan in which the information proprietor can renounce
any client in the opportune manner. The proposed plan makes it workable for the
information proprietor to safely offload most calculation concentrated assignments
related to client denial to information servers which are conceived to be effective. It
accomplishes this objective by extraordinarily consolidating the intermediary re-
encryption procedure [65] with ABE. Security of the proposed plan is planned and
demonstrated under standard cryptography models.
7. With a specific end goal to safeguard against key misuse assaults in ABE and
henceforth give client responsibility, this exposition upgrades a current development
of ABE 1 and proposes a following system that offers the information proprietor some
assistance with identifying the key abuser(s). In handy frameworks, it would be
troublesome for the information proprietor to acquire a duplicate of the privateer's
unscrambling key and check its legitimacy. This is on the grounds that the
information proprietor will most likely be unable to get physical access to the
privateer's key stockpiling gadget or the privateer might have randomized the key
stockpiling memory. To address this issue, this examination proposes a discovery
following instrument, i.e., following the privateer gadget just by watching its yields
on a few inputs. Such an answer likewise empowers the information proprietor to
remotely follow suspicious clients by deceiving them into decoding following
ciphertexts and in this manner makes the following process exceptionally
advantageous. Formal security verification and execution investigation are both
accommodated this plan. This work gives the same security expansion to ABE as that
backstabber following systems do to customary telecast encryption [63, 64].
8. In current CP-ABE developments [65, 66], the entrance arrangement ought to be
connected in plaintext to the information ciphertext all together to encourage client
decoding. This plaintext unveils the information proprietor's entrance strategy and/or
24 | P a g e
the clients' entrance benefit data, and might bring about security concerns. Keeping in
mind the end goal to give better security insurance, this thesis proposes two novel CP-
ABE developments under various security models. These arrangements cover up the
entrance strategy data from the information servers as well as from clients.
Research Delimitation 1.8
Data limitations 1.8.1
There are different forms of data that can be stored or processed in the cloud. The difference
between integers and strings, symbols and texts or data containing different levels of entropy
can affect both the security guarantees and query types that are required. The focus of this
thesis is on the string and texts.
Legal limitations 1.8.2
The juridical boundaries regarding the processing of personal (private) data are country
dependent. In this thesis, we only examine the juridical boundaries and legal risks for
handling data. These boundaries will include laws and regulations regarding both personal
data and secure cloud principles.
Cryptographic limitations 1.8.3
There are different cryptographic schemes that provide a degree of security. In this thesis, we
will mainly focus on the confidentiality aspects of cryptographic schemes leaving other
aspects as data availability and integrity outside of our scope. We can justify this by the fact
that trust in availability always depends on the cloud provider as it can physically remove the
database. The integrity of data is assumed to be secured by externally located logging
systems and is not included as a requirement for our model.
Research Thesis Layout 1.9
This section of the thesis explains the documentation of the thesis work chapter by chapter.
25 | P a g e
Chapter 1 – Introduction: This chapter is the Introduction part of the thesis work. It contains
the introduction about the cloud computing and its security concerns, purpose of research,
Problem description, the research question, the type of research methodology used in this
thesis work, the research process ,the research contribution, the research delimitation
,structure of the thesis report and the ethical issues considered in in writing this report.
Chapter 2 – International Standard Organization Certification for Cloud Computing
Security: This chapter briefs the description of the International Standard Organization
Certification for Cloud Computing Security, International standards and ISO, legal nature and
effect of international standards, cloud computing data protection data, need for new standard
ISO/IEC 27017, Previous ISO Privacy related standard, and key elements of ISO/IEC 27017.
Chapter 3 – Background and Literature Review: This chapter briefs the description of the
cryptographic background of the carried out research, the ABE model, the two variants of
ABE and the challenges with CP-ABE for privacy preserving while outsourcing data over
cloud. Also this chapter consists of the Literature Study. The theoretical study of the recent
methods of cryptography and the ABE methods of cryptography is studied and explained in
this chapter.
Chapter 4 – Proposed Scheme: This chapter in this thesis report contains the description of
the research methodology. The key aspects of the proposed cryptographic scheme is
explained in detail. The scheme and procedures of how CP-ABE cryptography are picked for
doing encryption and decryption are explained here.
Chapter 5 – Applicability Analysis: This chapter illustrates the adoption of proposed scheme
for outsourcing student data over cloud. Along with this, various scenarios are explained
withscheme.
Chapter 6 – Performance Analysis: The performance of the proposed scheme is
demonstrated in this chapter. In addition, the simulations results obtained using Arena for the
proposed scheme in terms of computational workloads is displayed here
Chapter 7 – Conclusion and Future Directions: This is the final chapter of this thesis report
and it consists of the concluding explanations of the proposed scheme. Along with it, the
proposals of improving the scheme in the future is also given.
26 | P a g e
Ethical Issues 1.10
All the ethical issues which are to be taken in account while carrying a research study and
writing the related work in the form of a report is considered. For example,
Research participates will be briefed about the aims and objectives of the study and
will be acknowledged for the valuable contribution.
Falsification, fabrication and misinterpretation of data will be avoided.
Works of other researchers and authors used in research will be referenced and cited.
27 | P a g e
2 Chapter 2: Literature Review
28 | P a g e
Introduction 2.1
This chapter explains the general certifications normally gained by larger cloud computing
service providers, and the associated guarantees correspondingly associated therein. ISO
certification processes to understand the specific requirements of cloud computing service
providers, so that the applicable certifications could be recommended. The three common
certifications used by such services relevant to data security are listed in Table 2-1, while the
chapter would explore how ISO certification impacts data security within cloud computing
processes.
Table 2-1 Different types of certifications for the data security by cloud providers.
Type of Certification Regional Scope
ISO/IEC (Section 3.4.1) International Standards
Safe Harbor (Section 3.4.3) U.S Initiated agreement with EU
EU Model Clauses (Section 3.4.2) EU initiated privacy guidelines
Data sourcing refers to the data saved in the cloud database and accessed by peripheral
people. Cloud storage services have widely become developed in disparate cloud computing
services as companies outsource their data in the cloud database due to its benefits of rapid
resource elasticity, independent resource pooling, and utilisation-based pricing. Despite many
advantages of data storage into cloud database, the risks of security and confidentiality of
companies emerge as their data is handled by untrusted parties and these concerns could not
be solved yet regardless of enhanced secure cloud computing. The foremost concern is the
protection of data confidentiality and privacy of companies as these data are shared amongst
multiple parties. This thesis is created in pursuit of focussing on these concerns and this
particular segment deals with a succinct history and central conceptions that would be
discussed in this segment.
International Standards and ISO 2.2
ISO is an abbreviation for the International Organisation for Standardisation, which is a
Geneva based non-governmental organisation founded in 1946. Today, some 146 countries
follow the measurement standards recommended by this body, which has published more
29 | P a g e
than 19500 international standards since its inception. Individual nations act as
standardisation bodies within their jurisdiction, contributing to a closely coordinated network
of standardization processes. The framework contributes to a voluntary set of international
standards which ensure that the products and services within specific markets are reliable and
are of a certain minimum standard. Normally, ISO standards are normally formulated when
the industry perceives that there is a need for technical standardization in the processes
executed [1].
The ISO staff is periodically informed of the requirement for standardisation within specific
functions either by their respective contacts within the various industries or by the various
consumer organizations. The ISO framework is bifurcated within the context of various
operational areas, including services, energy, climate change, food and nutrition, health etc.
The organization’s technical committee is tasked with developing the required standards
which are then finally communicated within the public domain. The time required towards
successfully concluding a given standard varies, from 24 to 48 months depending upon the
parameters involved. Generally, the process of concluding a standardized measure is
bifurcated into six different stages, initiated with a proposal which concludes with the
publication of the final result. The entire process would involve various ISO officials.
Generally, participating members nominate professionals and experts to the technical
committees involved. It is relevant to state that during the enquiry process when a draft of the
standard is circulated amongst the various experts within the ISO forum, the final of the draft
incorporates the most relevant and best practices recommended by the various professionals
involved [1].
The entire process is concluded with a globally accepted standardized unit of measure, which
benefits the industry since it contributes in enhancing productivity levels, enabling firms to
access and tap into new markets while also simultaneously reducing the probability of
operational errors. From a consumer perspective, it facilitates them by helping them to adopt
new technologies, which offers’ them greater choices in adopting and implementing a process
[1].
30 | P a g e
Legal nature and effect of international standards 2.3
Normally, international standards are representative of a consensus arrived upon by the
members with regard to the various specifications and the associated criteria to be applied
upon in relation to the different manufacturing processes adopted, executing various services
or with regard to how different materials are classified. Therefore, this entails multiple
definitions of a standard adopted. As per the ISO/IEC definition stated within EN 45020, a
standard is a document which has been agreed upon by the consensus and the approval of a
recognised authority. It provides guidelines and characteristics determining the results
derived through the common and repetitive use of various processes, ensuring that optimum
conclusions were derived within a given context. Standards should be derived in
consideration of scientific and technical expertise towards benefiting the larger community as
a whole [1].
The EU considers the 98/34/EC Directive towards explaining technical specifications.
Therefore, Article 1 considers a standard in the context of a technical specification which is
approved and recognised by a standardisation authority, for continual application.
Correspondingly, the exclusion of the same would not necessary invalidate the measure. An
international standard refers to a measure of standardisation which has been circulated and
accepted within the public domain. The Regulation 1025/2012 issued, further explains upon
the former definition since it correlates the function with actual practice. Thus, a standard is
considered to be a technical specification which has been accepted by an authoritative
standardisation agency for widespread application, although it is not necessary to comply
with the measure at all times [1].
The standards adopted are generally voluntary. Considering that compliance is not always a
requisite, it may not be considered to be legally binding. This scenario is also applicable
within the context of international standards since the ISO standards are all a voluntary
measure. Therefore, there is no compulsion or a legal requirement to adopt the same.
However, despite its ambiguous status, a recommended standard is often considered to be a
soft law, particularly those in the context of fulfilling legal obligations. This is particularly
valid in the context of harmonised standards which are derived towards fulfilling European
Union directives in consideration of European Standardisation Organisation requirements
towards recommending how a legal provision is to be complied with. Although compliance
31 | P a g e
with the same is not necessarily compulsory, but being in agreement to the same enables the
implementer to be in conformity to specific provisions of the legislation addressing uniform
standards throughout the EU. Parties compelled to meet legal obligations are independent in
choosing diverse methodologies in this regard, and are free to implement various technical
standards. In any event, harmonised standards are not uniformly followed through at the
global level. Therefore, international standards are all a voluntary measure which may be
accepted by a greater percentage of the industry under relevant conditions towards being in
compliance of the soft laws to the extent possible.
The preceding text has debated the legal status of ISO standards. Although they do not
constitute formalized directives, the standards recommended could be considered to
constitute legally binding obligations, and could be implemented within specific contractual
relationships. Such notions of contractual relationships would be relevant in the context of
business relationships within various stakeholders. This could therefore include the seller or
the service provider, and the buyer or the recipient of the services provided. When specific
ISO parameters are incorporated within service level agreements, and if the same are
subsequently dishonoured, the seller is liable to be penalized for the same since they could be
held liable by the client in the context of contractual liability or the rule of tort [1].
As a result, the standards did not prove to be binding instruments even though they consisted
of a voluntary nature. Formal legal distinctions were present, yet legal value was still present
for the expectations and beliefs of the parties. It was not only limited to commercial value.
When a standard is to be applied, it is assumed that it would be complied with since the
parties would essentially be bound. This compliance would become lawful. The statement
brings forward various legal penalties since the formal legal distinction mentioned earlier run
parallel with these consequences. In the present analysis, it is essential to realize that the legal
obligations and principle standards are not related. If a standard is being applied, the
concerned party would be required to abide by it and the burden would not be reduced in any
way [1].
Cloud Computing Data Protection Risks 2.4
For cloud computing, essential user concerns are the issues related to personal data
protection. The cloud client and third party personal data is processed by the cloud service
providers. There are various risks present but mostly are included in the category of absence
32 | P a g e
of transparency or lack of data control according to Article 29 Data Protection Working Party
notes37. The cloud related risks have specific data protection which must be managed
without considering the kind of service model being applied [1].
If the data subject or the cloud client does not have technical and organizational measure
control then it is stated that lack of control is present according to Article 29 Data Protection
Working Party. The measure controls must be present to make sure the data is portable,
intervenable, isolated, transparent, confidential, integral and available.38 A cloud client
would be worried about the issue of interoperability and vendor lock in issue present. A take
it or leave it agreement is present between the cloud service provider and the cloud client in a
SaaS cloud computing case. The contract cannot be negotiated or tailor made by the client
which is why it is essential to reasonably allocate the responsibilities. For instance, the cloud
service provider must not be subjected to an over exclusion of liability clause limitation. Such
an activity would increase the issue of lack of control as there would be contractual
asymmetry [1].
Cloud computing implementations which are Business to business (B2B) have an increased
layer of actors which is why there is a higher level of complexity. When the data controllers
are the cloud service clients, the lack of control reduces their ability to comply with the legal
obligations relate to their own data protection. There is a connection between the processing
obligation and the exercise of data control under these obligations. If the isolation of the data
cannot be made by the cloud client who functions as the data controller, it is expected that
lack of control regarding the technical aspects is present from the cloud provider end. The
data must be safeguarded by using inappropriate measures and various tenancies. If various
cloud clients are providing the data, it is possible that there would be no meeting of the cloud
controller. The personal data must be secured under the Art. 17 of the EU Data Protection
Directive obligation.
It may not be possible to apply the Art.12 obligations by the data controller since there are
lack of control issues present. These obligations include blocking, rectification and right of
access. Art. 14 consist of the same directive and its obligations include objection right and
erasure. The data quality general principles are subjected to risk within this context. A cloud
client would not be able to provide guarantee if he is not in control of his own data
processing. For instance, the personal data processing would not be done in accordance with
33 | P a g e
the initial plans according to Art. 6(1)b and Art. 6(2) of the EU Data Protection Directive
require [1].
For personal data protection legislation, transparency is considered a vital principle and has
been clearly mentioned in Art. 10 of the EU Data Protection Directive. As part of this
principle, the data controllers are required to provide the processing activity information to
the data subjects along with the identity and reason for processing. Also, the transparency
principle forms the foundation for other provisions. For instance, in Art. 12(a) it has been
stated that the data controller must confirm the data subject to the data controller. There must
be no expense or delay included specifically when the personal data of the subject is
processing. If the first level of control is to be maintained, the cloud providers must be
transparent with their clients. There should be process awareness along with providing
information regarding the cloud provider means and measures. The competent supervisory
authorities must also be provided with transparency. The transparency provision infringement
risk increases during cloud computing since it consists of various specifications. For instance,
the data processing consists of a subcontractor chain. The cloud providers, in practice, are
observed to outsource most of their activities externally. Personal data access may be given to
these parties which are subcontractors of the cloud provider and related to the cloud client.
During their activities, they may process this personal information and would then be
required to abide by the EU Data Protection Directive. It may be quite expensive and
complex, administratively and technically, to establish control upon the sub-contractors and
operation process [1].
Furthermore, the cloud clients are unaware of location of the storage of data which is why
protection issues arise40. The personal data protection risks must be analyzed as information
related to the geographic location of the data and various country transfers according to the
business models of the providers are unavailable. The law being applied within the nation and
its jurisdiction usually determine the data location. The framework for the present European
data protection can only be applicable if the EU Member State territory controller is
established or then the EU territory equipment must only be used. This use must not only be
made for transit reasons but also for other scenarios 41. The EU Data Protection Directive
would be applicable transfers to the third, the Art. 25 requirements must be fulfilled by the
non-EU nations regarding the personal data transfer to the third world nations. Hence, there is
an appropriate amount of personal data protection present. There are various host locations
34 | P a g e
present for data which are actually the cloud provider server locations. For continents or
nations across the globe it may be different but it is a dynamic method that creates issues for
the provider to assess the data transfer and followed by legislation compliance [1].
In cloud computing, another significant data protection risk is the erasure of data. Personal
data, which is not consistent with the stipulations of the EU Data Protective Directive,
especially data that is not accurate or complete (Art. 12(b)), can be removed by the data
subjects. ENISA issued a report in 2009 42, which states that when hardware resources are
reused, the risk of having incomplete and insecure data elimination in the cloud setting
increases [1].
Need for New Standard ISO/IEC 27017 2.5
ISO/IEC 27002, an earlier standard, is a code of practice; that is, it is a generic, review
document, and is not an official specification. This standard puts forward information
security regulations that deal with information security management goals that have emerged
due to the risks on the integrity, confidentiality and availability of information. The
information security risks of organizations that acknowledge ISO/IEC 27002 should be
examined by them. These organizations should explain their control objectives and
implement appropriate measures (or other kinds of risk management), with the standard
serving as the guide. Hence, the prevailing standard does not seek the explanation of security
standards for the present day’s rapidly evolving industry, i.e. cloud computing. Several
initiatives have hence been made by the European Commission, non-government
organizations and the industry itself. Hence, the latest standard ISO/IEC 2017 is not the
foremost in this field and is surely not going to be the last [2].
Previous ISO privacy-related standards 2.6
An overall privacy model regarding information and communication technology systems is
given by the ISO standard, which puts forward common lexicons, explains who is involved in
data processing and defines privacy safeguarding techniques. However, the terms are not
completely consistent with those of the EU data protection law.
35 | P a g e
With respect to information security management, control objectives are offered by the 27000
series, in addition to guidelines for the safeguarding of information security management
systems (ISMS). In 2009, the ISO/IEC 27000 standard was published so as to offer a basis for
common ideas. The principle “Plan-Do-Check-Act” is the foundation of the ISO/IEC 27000
family, which stresses on the significance of process alignment, integration and consistent
assessment of implementation.
Lastly, the ISO/IEC 27001 standard, under the title “Information technology – Security
techniques – Information security management systems – Requirements”, provides conditions
for the formation and working of an ISMS and spans high level operational and staffing
problems 50. Keeping in view the same circumstances, the ISO/IEC 27002, “Information
technology - Security techniques - Code of practice for information security controls”,
provides directives regarding practices on selection, execution and control management in
ISMS. It can serve as a reference for choosing controls in the process of operating an ISMS
on the basis of the ISO/IEC 27001. The significance of risk evaluation is emphasized in this
standard so as to ascertain relevant action. In 2013, the 27001 and 27002 standards were
revised.
The title of the new standard ISO/IEC 27017 is Code of practice for information security
controls based on ISO/IEC 27002 for cloud services, which suggests that the standard is
based on the prevailing security regulations of ISO 27002. The security controls in ISO
27007 and ISO 27001 are identical, the only distinction is that ISO 27002 provides more
details on the controls (refer to the article ISO 27001 vs. ISO 27002). This indicates that ISO
27012 provides further security regulations for the cloud, while this area has not been fully
covered by ISO 27002.
Key Elements of ISO/IEC 27017 2.7
There is logical construction of the ISO/IEC 27012 standard surrounding categories of
associated security measures. It was possible to place various controls in different sections;
however, to prevent duplication and disagreement, they were allocated to one, and in certain
cases, cross-referenced from other places. For instance, a card-access-control system, such as
a computer room or archive/vault, is an access control as well as a physical control that
consists of technology and the related management/administration and usage processes and
36 | P a g e
policies. This has led to certain eccentricities, for instance section 6.2 on mobile devices and
teleworking that is included in section 6 pertaining to the organization of information
security); however, it continues to be a realistically comprehensive model. It is not
considered to be ideal, however, it is appropriate [2].
Figure 2.1 ISO/IEC 27017 Framework
(5) - Information security policies:
Management direction for information security
A group of policies should be described by the management to explain their direction of, and
backing for, information security. The highest level should have a comprehensive
“information security policy” as given in section 5.2 of ISO/IEC 27001 [2].
(6) - Organization of information security
Internal organization
The roles and responsibilities pertaining to information security should be specified by the
organization and these should be assigned to respective individuals. Duties should be
differentiated over roles and individuals where appropriate to prevent conflicts of interests
and stop irrelevant activities. The organization should maintain contact with appropriate
external bodies (like CERTs and special interest groups) with respect to information security
issues. The management of all kinds of projects should essentially involve information
security [2].
37 | P a g e
Mobile devices and teleworking
Security policies and controls for gadgets (like laptops, tablet PCs, smartphones, wearable
ICT devices, and other Boys Toys) and for teleworking (like telecommuting, road-warriors,
working-from home, and remote/virtual workspaces) should be in place [2].
(9) - Access control
Business requirements of access control
There should be evident documentation of the organization’s need to regulate access to
information sources. This should be done in an access control policy and processes. In
addition, there should be limitations on network access and connections [2].
User access management
There should be restriction on assigning access rights to users, from the preliminary
registration of the user to elimination of access rights when not needed anymore. This
consists of special limitations for privileged access rights and password management (this is
now known as “secret authentication information”). In addition, there should be reviews and
updates of access rights from time to time [2].
User responsibilities
Users should be informed of their duties regarding ensuring effective access controls, such as
having strong passwords and ensuring of their privacy [2].
System and application access control
There should be limited information access, as per the access control policy. For example,
this can be done by having secure log-in, password management, regulation of privileged
utilities and limited access to program source code [2].
(10) - Cryptography
Cryptographic controls
The use of encryption, cryptographic verification and integrity controls like dignity
signatures, message authentication codes, as well as cryptographic key administration should
all be managed through policy [2].
38 | P a g e
Since the clients of ISO did not have faith in the standards regarding security and privacy
aspects of the cloud, the ISO, along with the IEC, issued the ISO/IEC 27012. The underlying
basis for this standard was to offer a sector-specific standard that could be audited and
certified. With the help of auditing, cloud clients can get past transparency problems that
have a deterring effect on shifting all or some of their operations to the cloud. When a cloud
client is aware of the kind of measures being adopted by the cloud service provider to deal
with particular data security and its risks, it has lower apprehensions regarding an absence of
information and control, as has been recognized in Article 29, Data Protection Working
Party. When a third body provides certification (instead of the organization providing the
certification), then the cloud service provider can ensure the parties of their strong security
measures, as well as technical and organization measures and comprehensive policies.
The standard goals pertain to the cloud services provider, as well as to the customers. The
goals are basically two sides of the same coin as it provides them the opportunity to agree
with their legal or contractual duties towards each other. The ISO/IEC 27012 standard
provides the cloud service provider a way of conforming to its contractual and legal duties
when operating as a data processor and exhibit its compliance. In addition, it is also a way of
performing “audit and compliance rights” pertaining to the cloud computing client.
With respect to its scope, a key aspect of the new standard is that it is only pertinent to the
cloud service provider when operating as a data processor. This study will, hence, concentrate
on putting forward a new access control method with the help of cryptography to ensure data
remains secure on the cloud.
39 | P a g e
Data Outsourcing Architecture 2.8
Several entities play crucial role in the architecture of data sourcing system [22], as depicted
in the following Fig 2.2:
A. TRUSTED AUTHORITY(TA) :
Trusted authority also considered as (KGC) and is responsible for generating public and
private key parameters for the system. Likewise, it holds the responsibility of giving
authorization of differential access rights to individual users on the basis of their
attributes and takes the accountability of updating, revoking, and sending out attribute
keys for their users. It is the sole entrusted party by all entities participating in the data
outsourcing system.
Figure 2.2 Architecture of a data outsourcing system
B. DATA OWNER:
Data owner is the individual client whose data is stored in the database and desires to
outsource it with external data server granted by the service provider. Before
outsourcing data, the data owner is found liable to define attribute-based access policy
an implement it on his data by means of encryption.
40 | P a g e
C. USER:
User is the party that wishes to get access to the outsourced data but he will only
decrypt the cipher text and attain the data if he retains the suitable attribute sets that
fulfil the conditions of the encrypted data access policy and none of the other attribute
groups invalidate him [18].
D. SERVICE PROVIDER:
Service provider also called as data storing centre (DSC) is the fundamental source of
providing a data outsourcing service embraced with a data service manager and
certain data servers. These data servers are used to store outsourced data of peripheral
data owners whereas the data service manager controls the accesses from external
users to utilize outsourced data present in servers and also performs the function of
granting consequent contents services. The data service manager is expected to be
curious-but-honest like prior proposals implying that the data service manager
controls the access of external users legally and candidly along with fulfilling the
tasks by means of legal parties. Furthermore, he should have enough knowledge of
encrypted contents as he is responsible to administer the attribute group keys of every
individual attribute group.
Security Requirements 2.9
The following are high state security requirements for sharing information over the cloud and
shape the deciding component for the distinguishing proof of risks:
A. Data Confidentiality:
Those users who do not have sufficient qualities to fulfil the access policy are not
authorized to access the plaintext of the data and so should be prevented from doing
so. Furthermore, curious-yet-honest data service managers should not be allowed to
access the plaintext of the encrypted data.
B. Collusion-Resistance:
When there is colluding of multiple users, they can decrypt a ciphertext by integrating
their attributes, even if it is not possible for the users to decrypt the ciphertext on their
own. It is important to prevent these colluders from decrypting the data. Because we
41 | P a g e
presume that the service provider is truthful, we disregard active attacks from it by
colluding with curtailed users [23,24].
C. Backward and Forward Secrecy:
With respect to attribute-based encryption, backward secrecy refers to any user who
possesses a quality (which fulfils the access policy) and should be stopped from
gaining access to the plaintext of the preceding data exchanged before he acquires that
quality. In contrast, forward secrecy refers to any user who loses a quality and so
should be stopped from gaining access to the plaintext of the ensuing data exchanged,
following the withdrawal of the attribute unless the remaining valid qualities that he
possesses fulfil the access policy [23,24].
Cryptography Algorithms 2.10
The attribute-based encryption (ABE) was first initiated by Sahai and Waters for
implementing access control using public key cryptography. Its key functions involve
offering scalability, flexibility and fine grained access control to make sure that there is
cryptographic access control in the Cloud Computing, the ABE method is employed
extensively [25]. Both the user secret key and the cipher text in ABE scheme are linked with
various attributes. For instance, consider the attribute set to be Computer Science, Male and
40 years of age. Its tree access structure is depicted in Fig 2.3.
Figure 2.3 ABE Tree access structure
42 | P a g e
In the aforementioned Fig 2.3, leaves have disparate attributes whereas interior nodes have
two gates i.e. AND & OR. The conditions of this tree can be fulfilled by attribute sets to
recreate the secret message and get access to it. Moreover, various ABE alternatives are
established as the user and server present in a trusted domain of classical model can enter into
it.
Geetha [26] denotes how Sahai and Waters projected an ABE in 2005 [25]. The researcher
further stipulates that the user attributes are the main factors responsible for providing such a
system in which client users can decrypt or encrypt the significant information. Standard
encryption methodology did not provide competent outcomes in case of sharing the records
of students as numerous external people enter via public key to encrypt that data. The ABE
possesses authority, sender, and receiver where every entity retains a general function like
senders’ keys are used to decrypt/encrypt data and authority allows access to data users.
There are two key attributes i.e. public key and master key attributes which are in the hold of
authority [25].
Merely two ABE are found in the literature i.e. the Cipher-text Policy Attribute Based
Encryption (CP-ABE) and the Key Policy Attribute Based Encryption (KP-ABE) [27,28] and
these are the primary alternatives of ABE. CP-ABE is responsible to provide access of
encryption to every file and utilizes an attributes’ set so that the user’s key can be created
(used for data decryption) that is elucidated descriptively in the following sections. The next
ABE, KP-ABE is responsible to provide access of encryption to an attributes’ set and
allocates an access structure to every individual user corresponding to decrypt data by his
access scope.
Key-Policy Attribute Based Encryption 2.10.1
It is a version of ABE with the access structure attached in the private keys of users and
cipher-texts are tagged with their attributes. In case if the access structure of the key is
generated then the user will be able to get access to the concluding attributes [27].
One-to-majority communications are used by this cryptography as this is an old public key
and the data is familiar to those attributes having a defined public key. However, the public
key is used for the encryption of data by users and they are enabled to use a structure of right
43 | P a g e
to use that is given as an admittance tree upon the data features. KP-ABE falls into the most
significant class of ABE where confidential keys and aspects’ sets designate the coded
messages and also exemplify the access configurations availing the texts that have the
prospect of decryption by a specified user. Furthermore, KP-ABE performs crucial
applications when the data is shared in the cold storage having less security assurance. In
extensive KP-ABE, the cipher text dimension increases uninterruptedly along with the
aspects attached with coded messages. The function of efficient user revocation can be
performed by an access control mechanism of KP-ABE amalgamated with a re-encryption
procedure and gives a prospect to the data owner of reduction of the computational overhead
en route for cloud servers in the cloud computing. The way of harming the encryption is
demonstrated by a hitch in the KP-ABE and assists to settle on the entity that can decrypt the
encrypted data without choosing elaborative characteristics of the data and does not possess
any option except for disclosing the key issuer [27].
KP-ABE described in Fig 2.4 comprises the following four scheme:
A. Setup Scheme (Randomized): The implicit security parameter is taken in it
whereas the public parameters PK and a master key MK are its outputs.
B. Encryption Scheme (Randomized): A message (M), the attributes’ set (g), and the
public parameters (PK) are the input and cipher text (E) is the output.
C. Key Generation Scheme (Randomized): An access structure (A), the public
parameters (PK) and the master key (MK) are its input whereas the output is the
decryption key (Ku).
44 | P a g e
Figure 2.4 KP-ABE scheme
D. Decryption Scheme (Randomized): The cipher text (E) is decrypted with the
decryption key (Ku) that results in access control structure (A) and public
parameters (PK). The message (M) is its output if the condition of A is fulfilled
with g.
Cipher Text-Policy Attribute-Based Encryption 2.10.2
CP-ABE is fairly distinct from the KP-ABE because the cipher text retains the keys
utilised to elucidate attributes of users and the policy of decrypting data. The CP-ABE
also has four schemes (KeyGen, Decrypt, Setup, and Encrypt) as shown in Fig 2.5
A. Setup Scheme: It creates the master key (MK) and public parameters (PK).
B. Encrypt Scheme: It uses the original message (M) to encrypt the encryption
(CT). Users with attributes’ set fulfilling the access structure (A) embedded
with the cipher-text (CT) can decrypt this sort of encryption.
C. KeyGen Scheme: The user is defined on the basis of a private key (Ku) as it
embraces the attributes’ set (S).
D. Decrypt Scheme: Its inputs include a private key (Ku, parallel to the
attributes’ set (S)), cipher-text (CT, embedded with the access structure (A)),
and public parameters (PK). The cipher-text (CT) is decrypted by the scheme
45 | P a g e
and goes back to the original message (M) in case when all the conditions of
access structure (A) are fulfilled by the set (S) [16].
Figure 2.5 CP-ABE scheme
The investigation of Cipher text-policy attribute-based encryption (CP-ABE) can be done by
means of a simplifying the identity-founded encryption which is done by a solitary public key
while the other master private key works to produce more constraint private keys. When the
identity-based encryption and CP-ABE are contrasted, CP-ABE is found better in improving
the complex rules that tell the way of decrypting cipher texts by private keys [19]. At the time
of encryption, personal keys are amalgamated with labels and attributes’ sets and the access
policy specifies the keys that can make the process of decryption possible [21].
As a result, the encrypted data is elucidated by means of attributes utilised by KP-ABE and
the policies are also attached in the keys of users. Conversely, credentials of users are
elaborated with the attributes of CP-ABE. A policy is used by the encryptor according to
which the data can be decrypted. Here, CP-ABE is found better over KP-ABE with respect to
data sharing system as data owners are enabled to take access policy decision in this way
[24], [25].
46 | P a g e
Challenges Faced In CP-ABE 2.11
CP-ABE faces several obstructions when implemented in the data sharing system. Users’
private keys are created by the KGC when it relates the master secret keys with associated
attributes’ set of users. This helps in requiring less effort for storing public key certificates
and processing as defined in the traditional public key infrastructure (PKI). But it has a
tremendous limitation of key escrow problem in which the KGC has the potential to decrypt
each cipher text given to particular users through formulation of attribute keys. Nevertheless,
this problem is found to misuse or harm the data confidentiality or secrecy in the data sharing
systems [29].
The next problem is known as key revocation. ABE faces a complex issue in key revocation
or update of every attribute as every attribute is used by more than one user and several users
may probably transform the associate attributes or change certain private keys too. The
revocation is essential for ascertaining the security of the systems and therefore, we define an
attribute group with a defined set of users. It is meant that every user of the group is
influenced by either an individual user or attribute further resulting in traffic jam while the
security degradation or the process of rekeying is taking place as a consequence of windows
of vulnerability [29].
In the ABE-based data sharing system, the user revocation is noticed and specified by a
researcher, Yu et al. where the data server utilizes proxy re-encryption resulting in the user
revocation [30]. For the process of revocation, it is advised that all the present secret keys
along with the proxy key should be created by the KGC and then the server will gain the
prospect to re-encrypt the cipher text with the proxy key. This proxy key is attained from the
KGC for the prevention of revoked users so that they cannot decrypt the cipher text. As the
KGC is responsible for controlling all sorts of secret keys and proxy keys belonging to users
and data server correspondingly, the key escrow problem emerges in ABE.
Related Work on Attribute-Based Encryption 2.12
Numerous solutions may be envisaged to exchange encrypted data with a cloud provider in a
secure manner, such that the cloud provider is not directly entrusted with key material, but
naı¨ve schemes often prove difficult to scale. For instance, the main drawback of a scheme
47 | P a g e
based on the use of a public key management system such as RSA [33] (which stands for the
authors Rivest, Shamir, and Adleman and depends on the difficulty of factoring large
integers) is that it requires that the data owner provide an encrypted version of data for each
recipient that may access it. If user data are encrypted with a single key, then that key must be
shared with all authorized users, which carries a high traffic cost especially if this obligation
rests on data owner. Users may join and leave the authorized user set frequently, leading to
constant key re-generation and redistribution through additional communication sessions to
handle user revocation; in a highly scalable system, such events may occur at relatively high
frequency. Wireless communication, however, is expensive and results in rapid battery drain
[34].
Data should ideally be stored in the cloud in encrypted form so that the cloud provider cannot
access it. This notion is dependent on the keys being securely managed by an entity outside
of the provider’s domain. The difficulty arises when new users join the system, and existing
ones leave, necessitating new keys to be generated. The encrypted data should ideally be
transformed such that it may be unlocked with new keys, without an intermediate decryption
step that would allow the cloud provider to read the plaintext; this process is known as data
re-encryption. Although it appears to be a promising technique in managing encrypted data as
access rights evolve over time.
To address these emerging needs, Sahai and Waters [25] introduced the concept of attribute-
based encryption (ABE). Instead of encrypting to individual users, in ABE system, one can
embed an access policy into the cipher text or decryption key. Besides, ABE also has
collusion-resistance property, i.e., if multiple users collude, they should only be able to
decrypt a ciphertext if at least one of the users could decrypt it on their own. Thus, data
access is self-enforcing from the cryptography, requiring no trusted mediator.
ABE can be viewed as an extension of the notion of identity-based encryption (IBE) in which
user identity is generalized to a set of descriptive attributes instead of a single string
specifying the user identity. Compared with IBE [25], ABE has significant advantage as it
achieves flexible one-to-many encryption instead of one-to-one, it is envisioned as a
48 | P a g e
promising tool for addressing the problem of secure and fine-grained data sharing and
decentralized access control.
ABE have drawn extensive attention from both academia and industry, many ABE schemes
have been proposed and several cloud-based secure systems using ABEs have been
developed [35-38]. Goyal, Pandey, Sahai, & Waters [16] were the first team to achieve secure
data access control with provable security in cloud computing using KP-ABE. However, by
revealing some of the users’ attributes to cloud, these systems were unable to fully preserve
users’ privacy. Conversely, the HIBE-based scheme [37] utilizes hierarchical encryption to
ensure data security in a cloud, but this introduces too many private keys for each user to be
managed efficiently. In summary, these schemes either have privacy flaws or provide security
at the expense of performance; therefore, the challenge of achieving the dual goals of
privacy-preserving with effective cloud data sharing remains unresolved.
To preserve privacy and guarantee data confidentiality against the cloud, a cryptographic
primitive, named cipher-text policy attribute-based encryption (CP-ABE) was introduced in
Goyal, Pandey, Sahai, & Waters [16] and found to be more appropriate for data outsourcing
architecture than KP-ABE because it enables data owners to choose an access structure on
attributes, and to encrypt data to be outsourced under the access structure via encrypting with
the corresponding public attributes. For example, the sensitive medical records, tightly related
to patients’ privacy, must be accessed only if the users are authorized with patients’ consent;
solutions of exams in the education online system also should be only read by professors or
specified teaching assistants. The CP-ABE scheme deals with those situations, by encrypting
the target information with expressive access policies, such as “Medicine” and “Physician”,
“Professor” or (“Computer Science” and “Teaching Assistant”). Thus CP-ABE can provide a
perfect solution to an access control system by considering, efficient distributing, expressive
access control and data confidentiality.
Though CP-ABE is used to control outsourced data sharing, it confronts two obstacles.
Firstly, the data owner must trust the attributes authority; secondly, the issue of attribute
revocation of CP-ABE schemes, which suffers from such problems as different granularities
of revocation, poor scalability and high computational complexity, is cumbersome.
49 | P a g e
Recently, a new Secure Outsourced ABE system has been proposed, which supports both
secure outsourced key-issuing and decryption, also rids all access policy and attribute related
operations in the key-issuing process or decryption to a Key Generation Service Provider and
a Decryption Service Provide. Respectively, leaving only a constant number of simple
operations for the attribute authority, eligible users to perform locally and an outsourced
ABE construction is proposed which provides checkability of the outsourced computation
results in an efficient way [57].
In [58] Shi,Zheng, Liu, & Han dubbed directly revocable key-policyABE with verifiable
ciphertext delegation (drvuKPABE), that supports direct revocation and verifiable ciphertext
delegation. The drvuKPABE offers the following features which are promising in the data
sharing applications:
(1) Allows trusted authority to revoke users by solely updating the revocation list while
mitigating the interaction with non-revoked users, which is unlikely to indirectly
revokable ABE.
(2) Allows third party to update ciphertexts with public information so that those non-
revoked users cannot decrypt them.
(3) Enables any auditor (authorized by data owners) to verify whether the untrusted third
party updated ciphertexts correctly or not.
They formalize the syntax and security properties for drvuKPABE, and propose the
construction based on the multilinear maps.
In [59] Liu, Huang, & Liu proposed a new approach for fine-grained access control and
secure sharing of signcrypted (sign-then-encrypt) data for personal health recoreds. They call
it Ciphertext-Policy Attribute-Based Signcryption (CP-ABSC) which satisfies the
requirements of cloud computing scenarios for PHR. CP-ABSC combines the merits of
digital signature and encryption to provide confidentiality, authenticity, unforgeability,
anonymity and collusion resistance.
50 | P a g e
In [60] Cheng, Wang, Ma, Wu, Mei, & Ren present a new efficient revocation scheme
which is efficient, secure, and unassisted. Original data are first divided into a number of
slices, and then published to the cloud storage. When a revocation occurs, the data owner
needs only to retrieve one slice, and re-encrypt and re-publish it. Therefore, the revocation
process is accelerated by affecting only one slice instead of the whole data. They applied the
efficient revocation scheme to the ciphertext-policy attribute-based encryption (CP-ABE)
based cryptographic cloud storage. The security analysis shows that our scheme is
computationally secure. The theoretically evaluated and experimentally measured
performance results show that the efficient revocation scheme can reduce the data owner’s
workload if the revocation occurs frequently.
Recently Liang, Au, Liu, Susilo, Wong, & Yang proposed in first time a new CP-ABPRE to
tackle the problem by integrating the dual system encryption technology with selective proof
technique. Although it supporting any monotonic access structures is built in the composite
order bilinear group, it is proven adaptively CCA secure in the standard model without
jeopardizing the expressiveness of access policy. We further make an improvement for the
scheme to achieve more efficiency in the re-encryption key generation and re-encryption
phases.
Related Works with Key Escrow 2.13
Most of the existing ABE schemes are constructed on the architecture where a single TA, or
KEY GENERATION CENTRE (KGC) has the power to generate the whole private keys of
users with its master secret information [35-40]. Thus, the key escrow problem which refers
to the safeguarding of these data recovery keys is inherent such that the KGC can decrypt
every cipher text addressed to users in the system by generating their secret keys at any time.
Chase and Chow [39] presented a distributed KP-ABE scheme that solves the key escrow
problem in a multiauthority system. In this approach, all (disjoint) attribute authorities are
participating in the key generation protocol in a distributed way such that they cannot pool
51 | P a g e
their data and link multiple attribute sets belonging to the same user. One disadvantage of this
kind of fully distributed approach is the performance degradation. Since there is no
centralized authority with master secret information, all attribute authorities should
communicate with the other authorities in the system to generate a user’s secret key. This
results in O(N2) communication overhead on the system setup phase and on any rekeying
phase, and requires each user to store O(N2) additional auxiliary key components besides the
attributes keys, where N is the number of authorities in the system.
In Chow [40] research he proposed an anonymous private key generation protocol in identity-
based literature such that the KEY GENERATION CENTRE (KGC) can issue a private key
to an authenticated user without knowing the list of users’ identities. It seems that this
anonymous private key generation protocol works properly in ABE systems when we treat an
attribute as an identity in this construction. However, we found that this cannot be adapted to
ABE systems due to mainly two reasons. First, in Chow’s protocol, identities of users are not
public anymore, at least to the KEY GENERATION CENTRE (KGC) , because the KEY
GENERATION CENTRE (KGC) can generate users’ secret keys otherwise. Since public
keys (attributes in the ABE setting) are no longer “public,” it needs additional secure
protocols for users to obtain the attribute information from attribute authorities. Second, since
the collusion attack between users is the main security threat in ABE, the KEY
GENERATION CENTRE (KGC) issues different personalized key components to users by
blinding them with a random secret even if they are associated with the same set of attributes.
The random secret is unique and should be consistent with the same user for any possible
attribute change (such as adding some attributes) of the user. However, it is impossible for
the KEY GENERATION CENTRE (KGC) to issue a personalized key component with the
same random secret as that of attribute key components to a user, since the KEY
GENERATION CENTRE (KGC) can by no means know which random secrets (used to
issue a set of attributes key components) are assigned to which users in the Chow’s key
issuing protocol.
Related Works with Revocation 2.14
52 | P a g e
In the traditional CP-ABE scheme, once users obtain the credentials from a system manager
at the beginning of setup phase, the access ability is always valid for those who may even
break the confidential rules by abusing these private information. Upon detecting those
malicious adversaries, without any revocation mechanism embedded, the system manager has
to rebuild up the whole system. Therefore, revocation mechanism should be designed into the
system from the beginning rather than being added after the other issues are addressed, as it
requires careful planning on where functionality should be placed and how to reduce the
computational and communication costs. This research aims at developing the CP-ABE
scheme with efficient revocation.
Designing a revocation mechanism for CP-ABE is not a simple task while considering the
following aspects: first, system manager only associates user secret keys with different sets of
attributes instead of individual characteristics. second, users’ individuality are taken place by
several common attributes, and thus revocation on attributes or attribute sets cannot
accurately exclude the users with misbehaviors; third, the system must be secure against
collusion attack from revoked users even though they share some common attributes with
non-revoked users.
To consider the revocation problem in a traditional CPABE scheme, limited choices are
available. One is the revocation of a single attribute, which is not in connection with users’
behaviors but more likely to be periodical update of universal attribute set of the whole
system. Another possible solution is to revoke one attribute set corresponding to one specific
set of users. In this way, all the users’ access abilities will be revoked if they share the same
attribute set with the malicious user, which is inappropriate in the real application.
Attribute Revocation 2.14.1
Several attribute revocable ABE schemes have been proposed [18, 41, 42]. They realize
revocation by revoking attribute itself using timed rekeying mechanism, which is
implemented by setting expiration time on each attribute. We call this a coarse-grained
revocation because the immediate rekeying on any member change could not be possible.
Indeed, these approaches have two main problems. First problem is the security degradation
53 | P a g e
in terms of the backward and forward secrecy [38]. An attribute is supposed to be shared by a
group of users in the ABE systems by nature. Then, it is a considerable scenario that
membership may change frequently in the group that shares an attribute. Then, a new user
might be able to access the previous data encrypted before he comes to hold the attributes
until the data are re-encrypted with the newly updated attribute keys by periodic rekeying
(backward secrecy). On the other hand, a revoked user would still be able to access the
encrypted data even if he does not hold the attribute any more until the next expiration time
(forward secrecy). Such an uncontrolled period is called the window of vulnerability [25].
The other is the scalability problem. The key authority periodically announces a key update
material by unicast at each time slot so that all of the non-revoked users can update their
keys. This could be a bottleneck for both the key authority and all non-revoked users. We
observe that this is deteriorated due to the fact that the previous revocations were done
without any consideration of the scalable distribution of the updated attribute keys to the
group of users who share the attributes. Thus, we argue that it is still a pivotal open problem
to design a scalable and fine-grained revocation mechanism in the data outsourcing
architecture using ABE, which is one of the problems we will attempt to solve in this study.
Ibraimi et al. [28] and Yu et al. [30] proposed CP-ABE schemes with immediate attribute
revocation capability rather than periodic or timed revocation with the help of the semitrusted
proxy deployed in the data server. However, they also have failed to achieve fine-grained
user access control in the data outsourcing environment.
User Revocation 2.14.2
The importance of user revocation have been taken notice of in many practical ABE-based
systems. The user revocation is an essential mechanism in many group-based applications
[29, 32, 43-45] including ABE systems, because users may change their attributes frequently
in practice. The fine-grained user-level revocation can be done by using ABE that supports
negative clauses, proposed in [45]. To do so, one just adds conjunctively the AND of
negation of revoked user identities (where each is considered as an attribute here). However,
this solution still somewhat lacks efficiency performance as we will demonstrate it in later
section. Golle et al. [46] also proposed a user revocable KPABE scheme, but their scheme
54 | P a g e
only works when the number of attributes associated with a ciphertext is exactly half of the
universe size.
The previous user-revocable schemes also have a limitation with regard to the availability.
This is related to the granularity of the user access control between attribute level or system-
level revocation. When a user is revoked even from a single attribute group in the previous
schemes, he loses all the access rights to the data sharing system. That is, the previous
schemes realized user revocation on system-level, which means that when a user is revoked
even from a single attribute group, he is destined to be revoked from the whole system. Such
a scenario is not as desirable as the attribute-level user access control in many practical data
outsourcing scenarios, although they realized immediate user revocation.
Attrapadung and Imai [47] suggested another user revocable ABE schemes addressing this
problem by combining broadcast encryption schemes with ABE schemes. However, in this
scheme, the data owner should take full charge of maintaining all the membership lists for
each attribute group to enable the direct user revocation. This scheme is not applicable to the
data outsourcing architecture, because the data owners will no longer be directly in control of
data distribution after outsourcing their data to the external data server.
Information security is a basic issue for remote information stockpiling. On one hand,
revelation of delicate data, for example, wellbeing records, put away on remote information
servers needs to be entirely ensured before clients have freedom to utilize the information
administrations. Fine-grained information access control instruments regularly should be set
up to guarantee fitting exposure of delicate information among various clients. Then again, in
remote information capacity clients don't physically have their information. Remote
information administration suppliers are practically sure to be outside the clients' trust area,
and are not permitted to take in clients' delicate data put away on their servers. Things being
what they are clients cannot depend on remote information servers to implement access
control strategies like conventional access control [67] in which reference screens ought to be
completely trusted. User enforced information access control is accordingly exceptionally
wanted for remote information stockpiling.
55 | P a g e
3 Chapter 3: An Improved CP-ABE Scheme for Data
outsourcing over cloud
56 | P a g e
Introduction 3.1
This chapter proposes an enhanced CP-ABE scheme for outsourcing data securely over cloud
by removing the key escrow during key generation as well by enforcing fine grained data
access control. Later, it explores how user secret keys are generated using secure Two-phase
commit protocol (2PC) to overcome key escrow problem and prevent the curious KGC or
DSC from deriving the private keys individually. Finally, it highlights how the proposed
scheme does achieves immediate user revocation on each attribute set while taking full
advantage of the scalable access control provided by the CP-ABE.
Models and Assumptions 3.2
Security Model 3.2.1
This research work aims to put forward an innovative cryptographic design that is
suitable in terms of security and privacy. This system is composed of the following
parties:
A. Key generation centre (KGC): It is a key authority that generates public and secret
parameters for CP-ABE. It is in charge of issuing, revoking, and updating attribute keys
for users. It grants differential access rights to individual users based on their attributes
[38].
B. Local Authority (LA): It is an entity within the organization that authenticates the data
owners and users. The LA is involved in generating user key with KGC and DSC to
prevent these two parties to collude and guess the user secret keys.
C. Data-storing centre (DSC): It is an entity that provides a data sharing service. It is in
charge of controlling the accesses from outside users to the storing data and providing
corresponding contents services. The data-storing center is another key authority that
generates personalized user key with the KGC, and issues and revokes attribute group
keys to valid users per each attribute, which are used to enforce a fine-grained user
access control. Similar to the previous schemes [38].
D. Data owner: It is a client who owns data, and wishes to upload it into the external data-
storing center for ease of sharing or for cost saving. A data owner is responsible for
defining (attribute-based) access policy, and enforcing it on its own data by encrypting
the data under the policy before distributing it [38].
57 | P a g e
E. User: It is an entity who wants to access the data. If a user possesses a set of attributes
satisfying the access policy of the encrypted data, and is not revoked in any of the valid
attribute groups, then he will be able to decrypt the ciphertext and obtain the data [38].
Assumptions 3.2.2
The scheme proposed in this thesis will be build based on the same assumption as in
literatures [30-40].
A. Both of the key managers, the KGC and the DSC, are assumed to be semi-trusted.
Therefore they and should be deterred from accessing plaintext of the data to be shared;
meanwhile, they should be still able to issue secret keys to users. In order to realize this
somewhat contradictory requirement, the two parties engage in the arithmetic 2PC
protocol with master secret keys of their own, and issue independent key components to
users during the key issuing phase. The 2PC protocol deters them from knowing each
other’s master secrets so that none of them can generate the whole set of secret keys of
users individually. Thus, we take an assumption that the KGC does not collude with the
DSC since they are honest (otherwise, they can guess the secret keys of every user by
sharing their master secrets).
B. Users are assumed to be untrusted. They will try to access the files beyond their
privileges by collude with other users, or even with the server
C. We also assume that the data owner can not only store data files but also constitute the
access policy to his data files.
D. The Cloud servers are always online and they are assumed to have abundant storage
capacity and computation power. At the same time, a cloud administrator may read the
contents of user data stored in the cloud for nefarious reasons or simply out of curiosity.
Thus, data stored in the cloud should remain encrypted at all times, and any required
transformation of it should not reveal the plaintext in the process.
E. All communications between data owners/users and cloud servers are assumed to be
secure shell protocol, SSH.
Proposed CP-ABE Scheme Construction 3.3
Since the first CP-ABE scheme proposed by Bethencourt et al. [24], dozens of the subsequent
CP-ABE schemes have been suggested, which are mostly motivated by more rigorous
58 | P a g e
security proof in the standard model. However, most of the schemes failed to achieve the
expressiveness of the Bethencourt et al.’s scheme [38]. Therefore, this section attempts to
propose a variation of the CP-ABE scheme partially based on (but not limited to) Bethencourt
et al.’s construction in order to enhance the expressiveness of the access control policy
instead of building a new CP-ABE scheme from scratch. Its key generation procedure is
modified to alleviate the key escrow problem. The proposed scheme is then built on this new
CP-ABE variation by further integrating it into the proxy re-encryption protocol for the user
revocation. The standard CP-ABE scheme consists of the following six phases:
A. Set-up Phase: It runs a setup scheme that takes the universal attribute set U and the
maximum index nmax of columns in an access structure as inputs. It outputs the
public parameters PP and a master key MK [30-40].
B. Key Generation phase: It employs key issuing protocol to overcome key escrow
problem involving three parties, LA, KGC and DSC to generate user secret keys.
First, the LA authenticates the data owner. Then the data owner defines the set of
attributes to KGC that can be used to authenticate a user ut who is entitled to a set S of
attributes. Next, KGC starts to perform the secure 2PC protocol with LA and DSC.
Then, the user receives three key components from LA, DSC and KGC as a result of
the protocol. Finally the user can derive the whole secret key using the three key
components [38].
C. Encryption phase: It performs encryption using a randomized scheme that takes as
input the public parameter PP, a message M, and an access structure AS over the
universe of attributes. It outputs a ciphertext CT such that only a user who possesses a
set of attributes that satisfies the access structure will be able to decrypt the message.
D. Proxy Re-encryption Phase: Before outsourcing data, CT, the DSC reencrypts the
outsourcing data CT by running Reencrypt(CT,G) using the membership information
for each attribute group G that appears in the access tree CT.
E. Key Update Phase: when a user comes to join or drop an attribute, the KGC notifies
the DSC of the event and sends the updated membership list. The DSC rekeys the
corresponding attribute key to prevent the user from accessing the previous or
subsequent encrypted data for backward/forward secrecy respectively.
59 | P a g e
F. Decryption Phase: on receiving the cihertext from DSC. The user first updates its
attribute keys and then decrypts taking the ciphertext C with access structure AS and
the secret key SK. If the attribute set related with SK satisfies the access structure AS
and the unique identifier associated with SK has not been revoked, it decrypts the
ciphertext and returns a message M; else, it returns Nothing.
Escrow-Free Key Issuing Protocol 3.4
In our scheme, the KGC and DSC is assumed to be semi-trusted. Therefore they should be
deterred from accessing the data outsourced; meanwhile, they should be still able to issue
secret keys to users. In order to realize this contradictory requirement and realize key escrow
problem, the proposed scheme utilizes 2PC protocol as in Hur, J. [38] but introduces and
involves LA along with KGC, DSC to issue independent key components to users during the
key issuing phase. The 2PC protocol prevents them from knowing each other’s master secrets
so that none of them can generate the whole set of secret keys of users individually. Thus, the
assumption that the KGC does not collude with the DSC (otherwise, they can guess the secret
keys of every user by sharing their master secrets) in Hur, J. [38] is overcome in the proposed
scheme.
In the escrow-free key issuing protocol of the proposed scheme, the user is required to
contact three authority, LA, KGC and DSC to get the required key components. On receiving
the request from a user, the KGC is responsible for authenticating the user and initiates the
secure 2PC protocol with the DSC and LA to generate the user secret key. Both the parties
executes secure 2PC protocol with their own master secret keys with KGC and issues
independent key components to the user. Then, the user generates the complete secret key
with the key components separately received from the three authorities using the following
scheme,
A. via PP (Public Parameter) Setup (1λ ), trust initializer chooses a bilinear group Go of
prime order p with generator g according to the security parameter and e denotes the
bilinear map e: Go x Go G1. It also chooses hash function H:{0,1}* Go from a
family of universal one-way hash functions. The public parameter PP is given by (Go,
g, H).
60 | P a g e
A. via (PKK,MKK) KKeyGen(), the KGC chooses a random exponent . It sets h= g.
Then outputs the public and private key pair PKK = h, MKK =
B. via (PKD,MKD) DKeyGen(), the DSC chooses a random exponent 1. Then outputs
the public and private key pair PKD = e(g, g) 1
, MKD = 1
C. via (PKLA,MKLA) LAKeyGen(),the LA chooses a random exponent 2. Then
outputs the public and private key pair PKLA = e(g, g) 2
, MKLA = 2
D. Next, as depicted in the Fig.3.1 the KGC initiates 2PC protocol with data-storing
center and LA as follows:
i. When the KGC authenticates a user ut, it selects a random exponent 1 and 2
for DSC and LA respectively and sets rt= 1 + 2. This rt value is a personalized
and unique secret to the user, which should be consistent for any further
attribute additions to the user. Then, the KGC engages in a secure 2PC
protocol with DSC and LA where KGC’s private input is (1, 2, β), DSC and
LA private input is α1 and α2 respectively. The secure 2PC protocol returns a
private output x1 = (rt+ α1) β and x2 = (rt+ α2) β to the DSC and LA
respectively.
ii. Both DSC and LA randomly picks 1 and 2 respectively and computes
𝑦𝑖 = 𝑔(i+ αi) β
i . Then sends yi to KGC where i=1,2.
iii. The KGC then computes zi=yi/β² =𝑔(i+ αi)
iβ , and sends it to the DSC and local
authority respectively.
iv. Both DSC and local authority outputs their personalized key component
zi=𝑔(i+ αi)
β to user.
v. User ut computes its personal key component D = 𝑔(α1+α2+rt)
β
61 | P a g e
Figure 3.1 Two party computation protocol among KGC, LA and DSC
User Revocation 3.5
In Hur and Xie et al. [38] they proposed efficient attribute revocation schemes which utilized
the key encrypting key tree for each user. During the attribute revocation, the authority re-
encrypted all the ciphertext with the new generated key encrypting key. This may incur high
computation cost on the authority. And the management of the tree will be a bottleneck for
DSC when the system needs to add or delete users. Yang et al. [55] also proposed an attribute
revocation scheme in CP-ABE by allowing the authority to update ciphertext and produce
new keys that include the new version key, update key, and secret key. However, the scheme
brings the heavy computation on the authority, and causes more communication costs
between the authority and users.
From extensive literature study, it was observed that it is impossible to revoke specific
attribute keys of a user without rekeying the whole set of key components of the user in ABE
key structure since the whole key set of user is bound with the same random value in order to
prevent any collusion attack. Therefore, revoking a single attribute in the system requires all
users who shares the attribute to update all their key components even if the other attributes
of them are still valid. This seems very inefficient and may cause severe overhead in terms of
computation and communication cost.
For example, suppose that a user ut is qualified with l different attributes. Then, all l attribute
keys of the user ut are generated with the same random number rt in the ABE key architecture.
62 | P a g e
When an attribute of user is required to be revoked (l – 1 other attribute keys of the user are
still valid). The other valid l -1 keys should be updated with another new rt’ that is different
from rt and delivered to the user. Unless the other l -1 keys are updated, the attribute key that
is to be revoked could be used as a valid key until their updates since it is still bound with the
same rt. Therefore, in order to revoke single attribute key of a user O(l) keys of the user need
to be updated. If n users are sharing the attribute, then total O(nl) keys need to be updated in
order to revoke just a single attribute in the system.
One promising way to immediately revoke an attribute of specific users is to reencrypt the
ciphertext with new Access structure AS. Thus before distributing the ciphertext, DSC
receives a set of membership information from KGC for each attribute group G and
reencrypts ciphertext. In this regard, the DSC must obtain the user access (or revocation) list
from KGC for each attribute group, since otherwise revocation cannot take effect after all. This
setting where the DSC knows the revocation list does not violate the security requirements,
because it is only allowed to reencrypt the ciphertexts and can by no means obtain any
information about the attribute keys of users. Since the proposed scheme is built on [5], we
recapitulate some definitions in [5] to describe our construction in this section, such as access
tree, encrypt, and decrypt scheme definitions. The proposed scheme uses the following three
scheme to accomplish user revocation capability,
1. via CT Encrypt(PP;M;AS), anyone can encrypt a message M with PP in the system
under an access structure AS over the universe of attributes, and produce a ciphertext
CT such that only a user that possesses a set of attributes that satisfies the access
structure will be able to decrypt the message. CT implicitly contains AS.
2. via CT’ ReEncrypt(PP;CT;NAS), when a user comes to hold or drop an attribute,
the users with the corresponding attributes should be prevented from accessing the
previous or subsequent encrypted data for backward or forward secrecy, respectively.
In doing so, the scheme reencrypts CT with PP under new access structure defined on
the set of non-revoked attributes. The reencrypted CT’ can only be decrypted by users
who possesses a set of attributes that satisfies the new access structure and has a valid
membership for each of them (has valid attribute group keys for each of the
attributes).
63 | P a g e
3. via M Decrypt(CT’; SK, KA), a user with SK that satisfies the access structure
embedded in CT’ and a set of attribute group keys KA for a set of attributes will
decrypt CT’ and return a message M, iff A satisfies NAS.
Implementation API for Proposed CP-ABE Scheme 3.6
The research work aims to integrate the concept of CP-ABE in a set of software modules as a
middleware that allows programmers to build secure applications by mean of data encryption
base on access policy defined over set of attributes. Fig. 3.2 shows the layered view of
modules needed to construct and execute secure applications based on CP-ABE scheme
proposed in this thesis. The proposed set of security modules are written in Java and built on
the top of CP-ABE library for Bethencourt and Sahai in [54] that performs low level finite
field, group and pairing computations. The use of Java allows a broader range of applications
as the security scheme is able to be used over different platforms.
Figure 3.2 Layered view of components for building secure Applications using CP-ABE
The set of java classes comprising the new CP-ABE library are shown in Fig. 3.3 The set of
software modules in the server side comprises classes for Advanced File Encryption (AES),
CP-ABE Re-encryption and KeyUpdation. The set of software modules in client side classes
are CP-ABE setup, CP-ABE key generation and CP-ABE encryption / Decryption. The class
AES in Fig. 3.3 is actually Java wrapper class for AES implementation provided by Java SE.
This wrapper adds the required methods to interface the symmetric cipher with CP-ABE. The
table below shows how the proposed Application Program Interface (API) for CP-ABE can
64 | P a g e
be used. It targets the application of encryption of digital documents (.doc or .pdf). After
encrypting these files they can be outsourced over cloud.
Figure 3.3 Proposed set of classes for CP-ABE
Table 3-1 Encrypting a digital document using proposed CP-ABE Library
import abe.cpAbe.client.encryption.*;
Public static void main(String args[]){
String policy = “(lecturer and level = Junior ) OR (TA and level = PYP)”;
CPABECipher cipher = new CPABECipher();
Cipher.encrpt(“major.pdf”, 128,policy);
Conclusion 3.7
CP-ABE is a promising cryptographic solution to fine-grained access control in many
practical applications such as distributed data systems. However, the key escrow problem and
User revocation problem is inherent in the standard CP-ABE schemes. To the best of our
knowledge, only few literatures have made an attempt to address these two challenges with
65 | P a g e
CP-ABE. As described above, the proposed scheme address key escrow involving three
parties in key generation and adopting key issuing protocol between KGC and DSC. As well
the proposed scheme promotes user revocation capabilities without additional computation
overhead by incorporating update information in decryption phase.
66 | P a g e
4 Chapter 4: Applicability Analysis - A Case Study on
Academic Environment (University)
67 | P a g e
Introduction 4.1
The development of new technologies has deeply influenced the traditional educational
system practices. Over the past few decades, technology has seamlessly been integrated into
our lives and has elevated the need for the development of sociotechnical systems in the
education domain. There has been a lot of research in the electronic student care with focus
on utilizing the electronic student records for student monitoring and progress. Moreover,
traditional educational settings with paper-based student records have also advanced to the
student academic and personal records [48].
Nevertheless, electronic student records may be exposed to possible abuse and require
security measures based on the identity management, access control, policy integration, and
compliance management. It is also claimed that storing huge volumes of student’ sensitive
data in third-party cloud storage is susceptible to loss, leakage, or theft. Moreover, traditional
network security mechanisms are also not sufficient for the data outsourced for storage.
Therefore, confidentiality and integrity of the stored student data is deemed as one of the
major challenges elevated by the external storages. Literatures articulate that using
cryptographic storage significantly enhances security of the data. Particularly, in the public
cloud environment operated by the commercial service providers and shared by several other
users, data privacy and security is the most anticipated requirement. In this regard, this
chapter briefs the need for securing the student records and reports on preliminary evaluation
of the proposed scheme in the academic environment for outsourcing data over cloud. The
level of evaluation ranged from the applicability and feasibility through the ease of use and
support to the efficiency and effectiveness [49,50].
Need and requirements for privacy in Academic cloud 4.2
Traditionally student academic records are kept in a hard copy file in the office of the
institution and other copy is issued to the students which are issued by the authorized party.
In Fig. 4.1, the solid lines indicate that a hard copy of student’s records has been issued to the
respective students whereas the dotted lines show that the academic information is also kept
in electronic or digital form into the databases. This copy is used for many purposes like
admission in college/university or for job interviews. Now for the job interviews or for the
admission candidates move from place to place with original hard copy of the certificates and
68 | P a g e
they have to take care of these wherever they go for counselling and interviews. But in this
system they may loss the files during travelling, fire...etc. which my happen in any time.
Further, to get back the lost file again though the system rules and regulations is very much
time consuming even though the concerned institution issue the copy of the file which is
equivalent to original files or certificates, it get delay. By going through these system
protocols to get back their academic records students can lose the opportunity to enroll in the
college/University for higher studies or may be sometimes job [48].
Figure 4.1 Existing System for keeping student academic records.
Also, with decades of student records stored onsite, universities receive frequent requests for
documents such as transcripts. From a university point of view, in order to provide quality
care for students, it is important to gain access to integrated student information that is often
collected at the point of university to ensure the freshness of the data time-sensitive. An
efficient, secure and low-cost mechanism is required for sharing student records among
multiple university. However, in current settings, universities mostly establish and maintain
their own electronic student record (ESR) systems for storing and managing student records.
This is expensive for university to make self-managed data centers. Besides, it is extremely
69 | P a g e
slow and costly to share and integrate their system with ESR systems managed by different
university. Such use is effective and low fashion cost-effective to become the biggest
obstacles to move forward the university care information technology industry. A common
and open infrastructure platform can play a vital role in addressing and changing such a
situation.
Adoption of cloud Computing (CC) for record keeping is an emerging sound technology with
service on demand. It has shown enormous potential to enhance collaboration, scale, agility,
cost efficiency and availability. As such, universities are interested to shift their ESR systems
into clouds instead of building and maintaining dedicated data center. Essentially, the cloud
service providers should completely recognize as well as deal with the security concerns in
the cloud to enhance the trust level of the students and universities.
Due to the distributed architecture of the cloud, the student record are stored at and shared
among many third-party providers. Therefore, the data is susceptible to unauthorized access
and attacks. Various approaches being used to maintain privacy of the academic cloud based
on particular adversarial models. One model assumes the cloud servers as untrusted entities
that could possibly disclose the sensitive student information. Moreover, such untrusted cloud
servers are vulnerable to threats from the internal and external adversaries. The adversaries
may not only attempt to access the encrypted student data through forged credentials but also
can gain access to the student data as privileged users. In the second model, threats to the
student data stored in the trusted cloud servers can be from the inside adversaries. For
instance, parts of the data may be saved by instructor/administrating staff, who could
subsequently share the data with unauthorized entities, thereby causing the information
disclosure. In the third model, the cloud servers are semitrusted. The semitrusted cloud
servers are usually considered as honest, however, they are curious to obtain as much
information as possible and may collude with some malicious users [50]. In such situations,
the adversaries may not only tamper the student data but can also share or sell the academic
information to the unauthorized parties. For example, the student contact information may be
revealed or tampered. Therefore, the student data privacy preserving in the cloud has multiple
requirements to be fulfilled. The requirements include integrity, confidentiality, authenticity,
accountability, audit, nonrepudiation, anonymity, and unlinkability [51-52]. Very few
70 | P a g e
approaches have been proposed to preserve the privacy of student data on cloud. Therefore,
this chapter attempts to employ the proposed scheme for outsourcing student data securely
over cloud.
Challenges in adopting the proposed scheme for Academic 4.3
Environment
We found challenges in adopting the proposed scheme to achieve fine-grained access control,
so ABE can be used to encrypt data before storing them on the cloud. However, integrating
ABE into academic cloud systems is a real challenge. In ABE, data are encrypted with an
access structure which is the logical expression of the access policy. The ciphertext
(encrypted data) can be decrypted by any user if his secret key has attributes that satisfy the
access policy. The power of ABE scheme is that academic institution need not rely on the
storage server for avoiding unauthorized data access since the access policies are defined by
academic authorities and is embedded in the ciphertext itself. However, this characteristic
becomes inconvenient when the access policy changes. Indeed, to apply a new access policy
to a file, we must download it, reencrypt it with a new access structure and upload it again to
the cloud. The second challenge faced with the integration of ABE is keys and access
structures management. Indeed, the questions of who should generate the access structure that
govern the security policy and who should generate and distribute keys necessary to access
the data are a real challenge in e-student academic cloud.
Proposed Architecture 4.4
This section proposes an architecture that enables to confront the above mentioned challenges
and enables academic institutions to manage student data effectively. The architecture
considers two categories of users namely, academic professionals and students, and is
composed of the following components as depicted in Fig. 4.2: (1) the monitoring
applications which allow academic professionals to access the stored data as well allows the
academic chairs to take the role of LA, (2) the Academic Authority (AA) which specifies and
enforces the security policies of university as well takes the role of KGC in outsourcing the
data over cloud and (3) Data Storage Centre DSC stores encrypted data on the cloud. Our
architecture offers virtually infinite storage capacity and high scalability. Indeed, the
71 | P a g e
architecture increases its storage capacity, through on-demand provisioning feature of the
cloud, whenever it is necessary. In addition, it offers enormous convenience to the academic
institution since it does not have to care about the complexity of servers’ management [53].
Figure 4.2 Proposed architecture for outsourcing academic data over cloud
Security implementation 4.5
System initialization 4.5.1
At the initialization of our architecture, the AA creates the universal attributes set and calls
the proposed scheme setup scheme to generate and master key (MK) and the public key
(PK). The MK must remain secret while the PK must be known to all users since they need it
to encrypt and decrypt data. To share the PK, the AA signs it with its private key and sends it,
along with the signature, to cloud servers. Once the PK on the cloud, users can download it
and check its authenticity.
Adding New Users 4.5.2
When a new student is admitted to the university, the AA gives him a secret key and an
access structure. The access structure allows him to encrypt his data before uploading it on
72 | P a g e
the cloud and ensures that only authorized users can access it. The secret key allows him to
access data on which he has right [21].
1. The AA request KGC to generate private/public keys (Privs , Pubs ) for the
Student Stud.
2. Then AA requests KGC to initiate key issuing protocol with DSC to generate
and issue the key components that required to generate secret key SKs .
Furthermore, it builds the access structure ARs that the student Stud will use
to encrypt his academic records.
3. The AA asks the DSC to add the student stud to the users list.
4. Upon receiving the student addition request, the DSC adds the student stud
and his public key Pubs to the users list (LU).
When the student’s gateway establishes a connection to the AA for the first time, it receives
the key components of KGC and DSC corresponding, access structure ARS and private key
PrivS [21].
The difference between the security parameters of a student and an academic professional
comes from the fact that a student needs to encrypt his student academic records which can
be only read while an academic professional needs to encrypt the student education record
which can be both read and modifiable. The read access policy and the write access policy
which govern a student record may be different. For example, an academic administrators can
only read a student academic records while an academic professor can read and modify it to
add comments to student education record. Consequently, the academic professionals should
obtain two access structures for read and for write policies. The following steps are
performed each time a new academic professional AP joins the system [21]:
1. The AA request KGC to generate private/public keys (PrivAP , PubAP) for the
academic professional AP
2. Then AA requests KGC to initiate key issuing protocol with DSC to generate and
issue the key components that required to generate secret key SKAp . Furthermore,
it builds the access structure ARAP that the academic professional AP will use to
encrypt and modify the student data.
3. The AA asks the DSC to add the student stud to the users list.
73 | P a g e
4. Upon receiving the student addition request, the DSC adds the student stud and
his public key Pubs to the users list (LU).
When the student’s gateway establishes a connection to the AA for the first time, it
receives the key components of KGC and DSC corresponding, access structure ARAP
and private key PrivAP .
Student academic data management: 4.5.3
Academic data files are information about students collected from other academic institution
and industries. These files can be accessed only in reading mode. The gateway receives
information continuously and executes the following scheme when this data is ready to be
uploaded to the cloud:
1. Assign a unique identifier ID to the academic data file F. It is a structure
allowing to find the file we need.
2. Generate a random secret key RSK for a symmetric cryptography scheme
3. Compute H the hash value of the file F
4. Use RSK to encrypt the concatenation of the file F and the hash value H
5. Encrypt RSK with CP-ABE encryption scheme according to the access
structure ARS
6. Send to the data-storing center the following data:
ID {RSK}ARS {(Data +
H)}RSK
Once stored on the data-storing center, the academic data can be used by academic
professionals to supervise the student or by student himself. When a user U wants to access a
academic data file, he starts by downloading this file from the cloud. After, he decrypts the
RSK field of the file using CP-ABE and his secret key SKU. If he has the right to access this
file (his secret key corresponds to the access structure of the student stud, he gets the correct
RSK and hence decrypts the file. After the decryption, the user checks the integrity of the
content thanks to the hash value. If he detects that the data file was altered he signals it to the
74 | P a g e
AA. Fig. 4.3 shows the different steps performed from adding a new student until its
supervision.
Figure 4.3 Example of student supervision
.
Student Education data management: 4.5.4
The student data (such as progress report, remedial activities, curriculum plan etc) are created
by academic professionals and can be modified by other authorized users. The read access to
student data is similar to academic data management. However, to control student files
updates, we assign to each file a password given to only authorized entities to allow them to
modify the file. To allow a user to upload a new version of a file F, the cloud asks him for the
file password. If the user provides the correct password, the new file version is accepted.
When an academic professional AP creates a new student file F, he performs the following
actions:
1. Assign a unique identifier ID to the student data file F
2. Generate a random secret key RSK for a symmetric cryptography scheme
3. Generate a random password PASS for protecting controlling the write access
4. Compute H the hash value of the file F
5. Use RSK to encrypt the concatenation of the file F and the hash value H
75 | P a g e
6. Encrypt RSK with CP-ABE encryption scheme using the read access structure
ARAP
7. Encrypt PASS with CP-ABE encryption scheme using the write access
structure AWAP
8. Encrypt PASS with the public key of the cloud
9. Send to the cloud the following data:
ID {RSK}ARAP {PASS}AWAP and {PASS}PubCloud
{(Data + H)}RSK
To read the content of a student medical file, a user U performs the same actions described in
the last section (access to student file). However, to modify a medical file he performs the
following actions [21]:
1. Download the student file
2. Update the file content and computes the new hash value of the file;
3. Encrypt the medical content along with the new hash value using RSK;
4. Decrypt the password with ABE and SKU
5. Send to the cloud an update request containing the new file along with
computed password
6. Upon receiving the update request, the cloud decrypts the password of the
original file using his private key Privcloud.
7. The new version of the file is accepted if and only if the password computed
by the cloud is equal to the password in the update request.
Discussion and Conclusion 4.6
To tackle the first challenge of ABE integration, we propose to use both symmetric
cryptography and ABE to encrypt data. More specifically, we propose to encrypt each file
with a randomly generated symmetric key (RSK) and encrypt the RSK with ABE. Both the
encrypted file and the encrypted RSK are sent to the cloud for storage to allow fine grained
76 | P a g e
data sharing with authorized users. Indeed, if a user has a secret key that satisfies the ABE
access policy, he will be able to decrypt the RSK and hence to decrypt the file.
Furthermore, if the file access policy changes, we should download and re-encrypt the RSK
rather than the whole file. This leads to a significant gain in data communication and
encryption operations. Finally, our solution has less encryption overhead compared to the
utilization of ABE to encrypt the whole file.
To tackle the second challenge, which is mastering the complexity of security management,
we introduce an entity that we call AA. The AA specifies and enforces the security policies
of university. It is used by the administrators of the university to define rules as ‘‘who can
access to what’’. Based on these rules, the AA generates and sends to each user his ABE
security parameters which are a pair of access structure and secret key. The secret key is
generated from the user attributes set which represents the user privileges. This information is
required to decrypt data that the user is allowed to access. The access structure represents the
access policy that protects the user data. When a user encrypts the random symmetric key
(RSK) that protects his data using this structure, he can be sure that only authorized users
(who have the correct attributes) can decrypt and access his data. Introducing the A releases
users from creating and distributing access structures and secret keys. Consequently, it
improves the system usability since a student has no action to do to secure his data. Also, the
academic professionals transparently access to data falling under their scope.
77 | P a g e
5 Chapter 5: Security and Performance Analysis
78 | P a g e
In this chapter, we prove our proposed scheme by running java code (Appendix A) and using
excel sheet to draw the charts in (Fig. 5.1, 5.2, and 5.4) before and after applying the new
scheme by using the function “currentTimeMillis()”. Also we used arena to in Fig. 5.3 to
evaluate performance of the proposed scheme.
Security analysis 5.1
This section, we assess the security of the proposed scheme with regard to the security
requirements discussed in the Chapter 2 of this thesis.
A. Data Confidentiality: The AA issues a set of attribute keys, KGC issues SKK;u, to an
authenticated user u for the attributes that the user is entitled. The DSC and LA issues
a user a personalized secret key, SKD;u and SKLA;u, by performing a secure 2PC
protocol with the KGC. This key generation protocol discourages the two parties to
obtain each other’s master secret key and determine the secret key issued from each
other. Therefore, they could not have enough information to decrypt the data. Even if
the DSC manages membership information for attribute group, it cannot decrypt any
of the nodes in the access tree in the ciphertext. This is because it is only authorized to
perform reencryption, but is not allowed to decrypt it. Therefore, data confidentiality
against the honest-but-curious KGC, LA and data-storing center is also guaranteed.
B. Collusion Resistance: In the CP-ABE, the secret sharing must be embedded into the
ciphertext instead to the private keys of users. Like the previous ABE schemes [6], the
private keys (SK) of users are randomized with personalized random values selected
by the KGC such that they cannot be combined in the proposed scheme. This value
can be blinded out if and only if the user has the enough key components to satisfy the
secret sharing scheme embedded in the ciphertext. Therefore, the desired value cannot
be recovered by collusion attack since the blinding value is randomized from a
particular user’s private key.
C. Backward and forward Secrecy: When a user comes to hold a set of attributes that
satisfy the access policy in the ciphertext, the DSC updates the corresponding
attribute key and are sent to the valid users securely for decryption. Even if the user
has stored the previous ciphertext before and holds attributes satisfy the access policy,
he cannot decrypt the pervious ciphertext. This is because, even if he cannot succeed
79 | P a g e
in computing from the current ciphertext, it would not help to recover the desired
value for the previous ciphertext since it is reencrypted with new secret key.
Therefore, the backward secrecy of the shared data is guaranteed in the proposed
scheme.
On the other hand, when a user comes to drop a set of attributes satisfying the access
policy in the ciphertext, the attribute keys are also updated and required for
decryption. Thus, the user cannot decrypt any nodes corresponding to the attributes
after his revocation. In addition, even if the user has recovered cipher text before he
was revoked from the attribute groups and stored it, it would not help to determine the
desired value since it is also dependent on new updated attribute key. Therefore, the
forward secrecy of the shared data is also guaranteed in the proposed scheme.
Thus our solution guarantees message integrity, authenticity and confidentiality during data
transfer through SSL protocol. Furthermore, it ensures a secure and fine grained access
control to data files stored on the cloud. Indeed, data files are encrypted by a randomly
generated symmetric key, and this key is encrypted by CPABE. The CP-ABE scheme has
been proved secure in [38]. Especially, The CP-ABE scheme has been proved resistant
against collusion attacks and ensuring that encrypted data cannot be accessed by unauthorized
users. From this, we deduce that the random symmetric key is confidential and can be
accessed only by authorized users. Consequently, the data confidentiality is guaranteed by the
standard symmetric encryption security.
Since our scheme enables scalable and fine-grained access control, the AA is able to define
and enforce expressive and personalized access structure for each user. These access
structures enable us to select with fine granularity which users can access to the symmetric
key of a given file. Since accessing the symmetric key is necessary to access the file, we
deduce that these access structures enable us to select with fine granularity which user can
access a file contents. Finally, by using separate access structures for the read and write
policies, we separate between read and write access to medical data.
Furthermore, our scheme is resilient against man-in-the middle attacks by considering two
concerns: the first is the attack during communication between entities of the system that
requires verifying if public key is correct, and belongs to the person or entity claimed, and
80 | P a g e
has not been tampered with, or replaced by, a malicious third party. The second is how to
ensure that Public Key of CP-ABE system is the original PK which is provided by our AA. In
our scheme, to respond to the first issue, each emitter sends his digital certificate issued by
our public key infrastructure to receiver. Then, the receiver verifies validity of certificate by
using public key of our PKI. For the second issue, the CP-ABE PK is signed by Academic
authority, and any entity of the system can verify authenticity of CP-ABE public key before
to use it.
Comparative Analysis with Related Works 5.2
A table summarizing the proposed scheme’s characteristics against other related work
appears in Table 5-1. As is evident the proposed scheme offloads more activities from data
owner to data storing centre i.e cloud and minimizes the workload required for key
generation and revocation. In comparison to the scheme recently proposed in [38], this work
involves local authority to address key escrow problem and prevent the assumption that KGC
and DSC will not collude with each other to guess the secret key of every users by sharing
their master secrets.
Table 5-1 Comparison of Proposed Protocol (with the Use of a Group Key) to Related Work
Characteristic Protocol in [38] Protocol [50] Protocol in [56] Protocol herein
System model Owner, authority,
CSP
Owner, CSP Owner, authority, CSP
Owner, CSP, trusted
authority and Local
Authority
Cryptographic
technique
CP-ABE KP-ABE (requiring
access structure for
user)
CP-ABE CP-ABE
Participating actors
in user data
encryption task:
Data owner Data owner Data owner, attribute
authority jointly (to of-
fload access control)
Data owner
Participating actors
in reencryption
keygen task:
CSP Data owner Attribute authority CSP
Mechanism for
user revocation:
Multiple attribute
keys regenerated
Multiple attribute
keys regenerated
Multiple attribute keys
regenerated
Multiple attribute keys
regenerated
Participating actors
in cloud data re-
encryption task:
CSP in lazy fashion CSP in lazy fashion Attribute authority CSP in lazy fashion
Cloud-hosted
metadata history
for re-encryption
RKs and attributes
updated by owner
RKs and attributes
updated by owner
None RKs and attributes
updated by owner
81 | P a g e
task:
Mechanism for
keyupdate material
Binary Key
encryption key tree
Process access
subtree
Process dual access trees
(attributes and user ID)
Process access subtree
User revocation is realized at attribute level in both Hur et al [38] and this work. Differently,
Hur et al [38] creates a binary key encryption key tree for the universe attribute of users and
utilizes to distribute the updated attribute group keys to the users. However, in this work the
user revocation is realized by encrypting the updated attribute key under new access structure
that prevents the revoked users to decrypt and receive the valid attribute key for data access.
Performance analysis 5.3
Encryption operations analysis 5.3.1
The encryption time of CPA-ABE is linear with the number of leaf nodes of the used access
structure. So it’s enables fine grained access control to data but induces important processing
overhead with complex access policies like the ones used in academic systems. However,
measuring the decryption time is more difficult since it significantly depends on the used
access tree and the set of involved attributes [18]. Here preliminary performance evaluation is
presented to show the benefit of the proposed scheme compared to CP-ABE [38]. We
considered several random access structures and attribute sets that we can meet in a real
academic system. The toolkit developed in [54] was utilized for ABE implementation to
accomplish the reencryption task of the proposed scheme and AES implementation for the
symmetric encryption. First we present performance evaluation of encryption and decryption
operations that is shown respectively in Figs. 5.1 and 5.2.
82 | P a g e
Figure 5.1 Encryption Evaluation
For this, we compute time overhead of encryption and decryption while varying the number
of leaf nodes of access structure (number of attributes). Figs. 5.1 and 5.2 respectively show
that CP-ABE[38] consumes more time than our solution in both encryption and decryption.
These results match our expectations and show that our control access scheme is more
efficient in terms of cryptographic operations. Indeed, the proposed scheme uses AES to
encrypt the data file and uses CP-ABE to encrypt only the AES key (256 bits). Since AES is
faster than CPABE [38], the whole encryption and decryption time is reduced. This reduction
varies between 5% and 15% for encryption, and between 15% and 20% for decryption in the
studied samples. Notice that these performance evaluations do not consider the significant
gain that can be achieved in revocation of access control.
83 | P a g e
Figure 5.2 Decryption Evaluation
Simulation Analysis 5.3.2
To evaluate the performance of our solution against the number of access policy request, a
simulation study was conducted and a model as shown in Fig. 5.3 was constructed in Arena.
Two scenarios were created to analyse their impact on our solution. In a first scenario, we
assume that there is no access policies update during time of evaluation. We consider three
operations: read a file from the cloud, write a file on the cloud and create a file on the cloud.
We study the mean number of waiting requests during an interval of time. We evaluate three
schemes: the first, the proposed scheme which combines CP-ABE with symmetric AES
encryption.
84 | P a g e
Figure 5.3 Model for Simulation Analysis
Figure 5.4 Performance Analysis without Access policy change request
85 | P a g e
In the simulation study, the arrival times of user requests are modelled as exponential
distribution with mean arrival rate (). Also, FIFO queue was used to accommodate different
requests which arrive to the cloud. Although, encryption and decryption overhead is not the
same for the three solutions Fig. 5.4 shows that our solution and have almost the same
performance as CP-ABE [38].
Figure 5.5 Performance Analysis with Access policy change request
In a second scenario, we introduce multiple changes on access policies that results in right
revocations and grants. In this case, we observe that our scheme depicts higher performance
than the other two solutions, as shown in Fig. 5.5. Indeed, revocations overhead is high in
CP-ABE [38] compared to our solution. This overhead is due to re-encryption operations
caused by access policies update. In case of files-group based solution, we need to change
key of one or several groups that induces re-encryption of all files of group. In our solution,
we avoid these operations by using key expiration time where the access rights are temporary
assigned to users. Consequently, this shows that unlike other two solutions, with our solution
we can achieve simultaneously fine-grained access and scalability.
86 | P a g e
6 Chapter 6: Conclusion and Future Directions
87 | P a g e
This chapter summaries the thesis and contribution of current research project. Future
research on the Attribute based encryption for data outsourcing system is also discussed.
Summary 6.1
The privacy of the data in the cloud computing environment is a serious issue that requires
special considerations. The state-of-the-art review on the approaches and methodologies that
are currently being used to deal with the important issue of privacy are presented in chapter 3.
In particular, the enforcement of access policies and the support of policy updates are
important challenging issues in cloud. This thesis has attempted to address these issue in
chapter 4 by proposing and implementing an improved CP-ABE scheme to outsource data
securely over cloud enforcing a fine-grained data access control and exploiting the
characteristic of the data sharing system. The proposed scheme features a key issuing
mechanism that removes key escrow during the key generation. The user secret keys are
generated through a secure two-party computation such that any curious KGC or DSC cannot
derive the private keys individually. Thus, the proposed scheme enhances data privacy and
confidentiality in the cloud against any system managers as well as adversarial outsiders
without corresponding credentials.
The proposed scheme can do an immediate user revocation on each attribute set while taking
full advantage of the scalable access control provided by the CP-ABE. Therefore, the
proposed scheme achieves more secure and fine-grained data access control over the data
outsourced on cloud. The applicability of proposed scheme for real world case was
demonstrated in Chapter 5 by proposing an innovative architecture for academic
environment. The architecture evidenced to confront the challenges in adopting the proposed
scheme to outsource academic data over cloud guarantying confidentiality, integrity as well
as fine-grained access control.
Finally, security and performance analysis with various scenarios were simulated to
demonstrate that the proposed scheme provides an efficient, fine-grained and scalable access
control combining CP-ABE and symmetric cryptography. This combination reduced
computational overhead with respect to encryption/decryption operation and access policy
change as discussed in Chapter 6
88 | P a g e
In summary, the contribution of this work are many folds:
A. We propose a new cloud based architecture for outsourcing academic data over cloud.
B. We show how we guarantee the confidentiality of outsourced academic data without
involving students or academic professionals’ interventions.
C. We propose an efficient access control which allows implementing complex and
dynamic security policies compliant with academic administrative organization while
reducing the management and processing overhead.
Future Research Directions 6.2
Despite all the efforts made to enhance the privacy of the data, there are certain areas and
issues still open and need more attention. We briefly highlight the issues as under:
A. An important issue that arises due to the nature of the cloud is secure provenance.
Generally, the provenance may include tracking and monitoring of 1) actions taken, 2)
the entities taking the actions, 3) the location of the actions, and 4) the reason for
action. Although the cloud environment is protected against the privacy threats, still
provenance of the data may reveal sensitive information to the unauthorized
individuals by monitoring the sequence of the events. Therefore, it is highly desirable
that the mechanisms should be developed to deploy efficient auditing and
accountability mechanisms that anonymously monitor the utilization of records and
track the provenance to ensure the confidentiality of the data.
B. Likewise, encryption approaches based on PKE presented are computationally far less
efficient as compared to symmetric key approaches. Consequently, there is a
significant need to devise more usable and efficient data search strategies without
compromising on privacy of the cloud environment in general and the e-academic
clouds in particular.
C. Another important issue worth investigating is determining and verifying the
integrity of the data in the cloud environment. Although existing privacy preserving
mechanisms offer support to maintain the integrity of data in the cloud, assimilating
the integrity verification mechanism with the existing solutions will offer the users
and the data owners to realize an increased sense of control over the data.
89 | P a g e
References:
1. Huth, A., & Cebula, J. (2011). The basics of cloud computing. United States
Computer.
2. Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A. &
Zaharia, M. (2010). A view of cloud computing. Communications of the
ACM,53(4), 50-58.
3. Qian, L., Luo, Z., Du, Y., & Guo, L. (2009). Cloud computing: an overview.
InCloud Computing (pp. 626-631). Springer Berlin Heidelberg.
4. Takabi, H., Joshi, J. B., & Ahn, G. J. (2013). Security and Privacy in Cloud
Computing: Towards. Principles, Methodologies, and Service-Oriented
Approaches for Cloud Computing, 164.
5. Mell, P., & Grance, T. (2011). The NIST definition of cloud computing
6. Almulla, S. A., & Yeun, C. Y. (2010, March). Cloud computing security
management. In Engineering Systems Management and Its Applications
(ICESMA), 2010 Second International Conference on (pp. 1-7). IEEE.
7. Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in public
cloud computing. NIST special publication, 800, 144.
8. Pearson, S., Shen, Y., & Mowbray, M. (2009). A privacy manager for cloud
computing. In Cloud Computing (pp. 90-106). Springer Berlin Heidelberg
9. ComPUtING, C. (2011). Cloud computing privacy concerns on our doorstep.
Communications of the ACM, 54(1).
10. Anil, S. L., & Thanka, R. (2013). A Survey on Security of Data outsourcing in
Cloud. International Journal of Scientific and Research Publications (IJSRP), 3.
11. Wang, C., Wang, Q., Ren, K., & Lou, W. (2010, March). Privacy-preserving
public auditing for data storage security in cloud computing. In INFOCOM, 2010
Proceedings IEEE (pp. 1-9). Ieee.
12. Kushida, K. E., Murray, J., & Zysman, J. (2011). Diffusing the cloud: Cloud
computing and implications for public policy. Journal of Industry, Competition
and Trade, 11(3), 209-237.
13. Ateniese, G., Di Pietro, R., Mancini, L. V., & Tsudik, G. (2008, September).
Scalable and efficient provable data possession. In Proceedings of the 4th
international conference on Security and privacy in communication netowrks (p.
9). ACM.
14. Dong, X., Yu, J., Luo, Y., Chen, Y., Xue, G., & Li, M. (2014). Achieving an
effective, scalable and privacy-preserving data sharing service in cloud
computing. computers & security, 42, 151-164
15. Li, M., Yu, S., Ren, K., & Lou, W. (2010). Securing personal health records in
cloud computing: Patient-centric and fine-grained data access control in multi-
owner settings. In Security and Privacy in Communication Networks (pp. 89-
106). Springer Berlin Heidelberg.
16. Goyal, V., Pandey, O., Sahai, A., & Waters, B. (2006, October). Attribute-based
encryption for fine-grained access control of encrypted data. InProceedings of the
90 | P a g e
13th ACM conference on Computer and communications security (pp. 89-98).
Acm.
17. Boneh, D., Boyen, X., & Goh, E. J. (2005). Hierarchical identity based encryption
with constant size ciphertext. In Advances in Cryptology–EUROCRYPT 2005 (pp.
440-456). Springer Berlin Heidelberg.
18. Bethencourt, J., Sahai, A., & Waters, B. (2007, May). Ciphertext-policy
attribute-based encryption. In Security and Privacy, 2007. SP'07. IEEE
Symposium on (pp. 321-334). IEEE.
19. Samarati, P., & di Vimercati, S. D. C. (2010, April). Data protection in
outsourcing scenarios: Issues and directions. In Proceedings of the 5th ACM
Symposium on Information, Computer and Communications Security (pp. 1-14).
ACM.
20. Bouabana-Tebibel, T., & Kaci, A. (2015). Parallel search over encrypted data
under attribute based encryption on the Cloud Computing. Computers & Security.
21. Lounis, A., Hadjidj, A., Bouabdallah, A., & Challal, Y. (2015). Healing on the
cloud: Secure cloud architecture for medical wireless sensor networks. Future
Generation Computer Systems.
22. Hur, J., & Noh, D. K. (2011). Attribute-based access control with efficient
revocation in data outsourcing systems. Parallel and Distributed Systems, IEEE
Transactions on, 22(7), 1214-1221.
23. Carlin, S., & Curran, K. (2011). Cloud computing security.
24. Dillon, T., Wu, C., & Chang, E. (2010, April). Cloud computing: issues and
challenges. In Advanced Information Networking and Applications (AINA), 2010
24th IEEE International Conference on (pp. 27-33). IEEE.
25. Sahai, A., & Waters, B. (2005). Fuzzy identity-based encryption. In Advances in
Cryptology–EUROCRYPT 2005 (pp. 457-473). Springer Berlin Heidelberg.
26. Geetha, K. (2015). An Efficient Presentation of Attribute Based Encryption
Design in Cloud Data. In Computer Science and Software Engineering (pp. 2-5).
International Journal of Advanced Research.
27. Wang, C. J., & Luo, J. F. (2012, November). A key-policy attribute-based
encryption scheme with constant size ciphertext. In Computational Intelligence
and Security (CIS), 2012 Eighth International Conference on (pp. 447-451).
IEEE.
28. L Ibraimi, L., Petkovic, M., Nikova, S., Hartel, P., & Jonker, W. (2009).
Mediated ciphertext-policy attribute-based encryption and its application.
In Information security applications (pp. 309-323). Springer Berlin Heidelberg.
29. Lounis, A., Hadjidj, A., Bouabdallah, A., & Challal, Y. (2013, October). Secure
medical architecture on the cloud using wireless sensor networks for emergency
management. In Broadband and Wireless Computing, Communication and
Applications (BWCCA), 2013 Eighth International Conference on (pp. 248-252).
IEEE.
30. Yu, S., Wang, C., Ren, K., & Lou, W. (2010, April). Attribute based data sharing
with attribute revocation. In Proceedings of the 5th ACM Symposium on
Information, Computer and Communications Security (pp. 261-270). ACM.
91 | P a g e
31. Rong, C., Nguyen, S. T., & Jaatun, M. G. (2013). Beyond lightning: A survey on
security challenges in cloud computing. Computers & Electrical
Engineering,39(1), 47-54.
32. Zhang, Q., Cheng, L., & Boutaba, R. (2010). Cloud computing: state-of-the-art
and research challenges. Journal of internet services and applications, 1(1), 7-18.
33. Rivest, R. L., Shamir, A., & Adleman, L. (1978). A method for obtaining digital
signatures and public-key cryptosystems. Communications of the ACM, 21(2),
120-126.
34. Balasubramanian, N., Balasubramanian, A., & Venkataramani, A. (2009,
November). Energy consumption in mobile phones: a measurement study and
implications for network applications. In Proceedings of the 9th ACM SIGCOMM
conference on Internet measurement conference (pp. 280-293). ACM.
35. Tysowski, P. K., & Hasan, M. A. (2013). Hybrid Attribute-and Re-Encryption-
Based Key Management for Secure and Scalable Mobile Applications in
Clouds. Cloud Computing, IEEE Transactions on, 1(2), 172-186.
36. Attrapadung, N., Herranz, J., Laguillaumie, F., Libert, B., De Panafieu, E., &
Ràfols, C. (2012). Attribute-based encryption schemes with constant-size
ciphertexts. Theoretical Computer Science, 422, 15-38.
37. Wang, G., Liu, Q., & Wu, J. (2010, October). Hierarchical attribute-based
encryption for fine-grained access control in cloud storage services.
InProceedings of the 17th ACM conference on Computer and communications
security (pp. 735-737). ACM.
38. Hur, J. (2013). Improving security and efficiency in attribute-based data
sharing. Knowledge and Data Engineering, IEEE Transactions on, 25(10), 2271-
2282.
39. Chase, M., & Chow, S. S. (2009, November). Improving privacy and security in
multi-authority attribute-based encryption. In Proceedings of the 16th ACM
conference on Computer and communications security (pp. 121-130). ACM.
40. Chow, S. S. (2009). Removing escrow from identity-based encryption. In Public
Key Cryptography–PKC 2009 (pp. 256-276). Springer Berlin Heidelberg.
41. A. Boldyreva, V. Goyal, and V. Kumar, “Identity-Based Encryption with
Efficient Revocation,” Proc. ACM Conf. Computer and Comm. Security, pp.
417-426, 2008.
42. M. Pirretti, P. Traynor, P. McDaniel, and B. Waters, “Secure Attribute-Based
Systems,” Proc. ACM Conf. Computer and Comm. Security, 2006.
43. Rafaeli, S., & Hutchison, D. (2003). A survey of key management for secure
group communication. ACM Computing Surveys (CSUR), 35(3), 309-329.
44. Liang, X., Lu, R., Lin, X., & Shen, X. S. (2010). Ciphertext policy attribute based
encryption with efficient revocation. Technical Report, University of Waterloo.
45. Ostrovsky, R., Sahai, A., & Waters, B. (2007, October). Attribute-based
encryption with non-monotonic access structures. In Proceedings of the 14th
ACM conference on Computer and communications security (pp. 195-203).
ACM.
92 | P a g e
46. Staddon, J., Golle, P., Gagné, M., & Rasmussen, P. (2008, March). A content-
driven access control system. In Proceedings of the 7th symposium on Identity
and trust on the Internet (pp. 26-35). ACM.
47. Attrapadung, N., & Imai, H. (2009). Conjunctive broadcast and attribute-based
encryption. In Pairing-Based Cryptography–Pairing 2009 (pp. 248-265).
Springer Berlin Heidelberg.
48. Staddon, J., Golle, P., Gagné, M., & Rasmussen, P. (2008, March). A content-
driven access control system. In Proceedings of the 7th symposium on Identity
and trust on the Internet (pp. 26-35). ACM.
49. Abbas, A., & Khan, S. U. (2014). A review on the state-of-the-art privacy-
preserving approaches in the e-health clouds. Biomedical and Health Informatics,
IEEE Journal of, 18(4), 1431-1441.
50. Yu, S., Wang, C., Ren, K., & Lou, W. (2010, March). Achieving secure, scalable,
and fine-grained data access control in cloud computing. InINFOCOM, 2010
Proceedings IEEE (pp. 1-9). IEEE.
51. AbuKhousa, E., Mohamed, N., & Al-Jaroodi, J. (2012). e-Health cloud:
opportunities and challenges. Future Internet, 4(3), 621-645.
52. Hupperich, T., Löhr, H., Sadeghi, A. R., & Winandy, M. (2012, January).
Flexible patient-controlled security for electronic health records. In Proceedings
of the 2nd ACM SIGHIT International Health Informatics Symposium (pp. 727-
732). ACM.
53. Waters, B. (2011). Ciphertext-policy attribute-based encryption: An expressive,
efficient, and provably secure realization. In Public Key Cryptography–PKC
2011 (pp. 53-70). Springer Berlin Heidelberg.
54. B.W. John Bethencourt, Amit Sahai, Cp-abe library. Online at:
http://acsc.cs.utexas.edu/cpabe/.
55. Yang K, Jia X. Security for cloud storage systems, New York, Springer 2014, pp.
39-58.
56. Ming, Yang, et al. "An efficient attribute based encryption scheme with
revocation for outsourced data sharing control." Instrumentation, Measurement,
Computer, Communication and Control, 2011 First International Conference on.
IEEE, 2011.
57. Rafath, N., Ghouri, W., & Raziuddin, S. (2015). “Security in Cloud using
Ciphertext Policy Attribute-Based Encryption with Checkability”. 3(5).
International Journal of Innovative Research in Computer and Communication
Engineering.
58. Shi, Y., Zheng, Q., Liu, J., & Han, Z. (2015). Directly revocable key-policy
attribute-based encryption with verifiable ciphertext delegation. Information
Sciences, 295, 221-231.
59. Liu, J., Huang, X., & Liu, J. K. (2015). Secure sharing of personal health records
in cloud computing: ciphertext-policy attribute-based signcryption. Future
Generation Computer Systems, 52, 67-76.
60. Cheng, Y., Wang, Z. Y., Ma, J., Wu, J. J., Mei, S. Z., & Ren, J. C. (2013).
Efficient revocation in ciphertext-policy attribute-based encryption based
93 | P a g e
cryptographic cloud storage. Journal of Zhejiang University SCIENCE C, 14(2),
85-97.
61. Liang, K., Au, M. H., Liu, J. K., Susilo, W., Wong, D. S., Yang, G., ... & Yang,
A. (2015). A secure and efficient ciphertext-policy attribute-based proxy re-
encryption for cloud data sharing. Future Generation Computer Systems, 52, 95-
108.
62. Yu, S., Ren, K. and Lou, W., 2010. Attribute-based on-demand multicast group
setup with membership anonymity. Computer Networks, 54(3), pp.377-386.
63. Naor, D., Naor, M. and Lotspiech, J., 2001, August. Revocation and tracing
schemes for stateless receivers. In Advances in Cryptology—CRYPTO 2001 (pp.
41-62). Springer Berlin Heidelberg.
64. Nishide, T., Yoneyama, K. and Ohta, K., 2008, June. Attribute-based encryption
with partially hidden encryptor-specified access structures. In Applied
cryptography and network security (pp. 111-129). Springer Berlin Heidelberg.
65. Cheung, L. and Newport, C., 2007, October. Provably secure ciphertext policy
ABE. In Proceedings of the 14th ACM conference on Computer and
communications security (pp. 456-465). ACM.
66. Bethencourt, J., Sahai, A. and Waters, B., 2007, May. Ciphertext-policy attribute-
based encryption. In Security and Privacy, 2007. SP'07. IEEE Symposium on (pp.
321-334). IEEE.
67. Western Europe Events 2015. (n.d.). Retrieved April 11, 2016, from
http://www.cvent.com/events/western-europe-events-2015/custom-20-
964bc723509944aea8b7df2d05ec160e.aspx?RefID=Cloud
94 | P a g e
Appendix A. Source Code
95 | P a g e
abe.java
import it.unisa.dia.gas.jpbc.CurveParameters;
import it.unisa.dia.gas.jpbc.Element;
import it.unisa.dia.gas.jpbc.Pairing;
import it.unisa.dia.gas.plaf.jpbc.pairing.DefaultCurveParameters;
import it.unisa.dia.gas.plaf.jpbc.pairing.PairingFactory;
import java.io.ByteArrayInputStream;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
public class Bswabe {
/*
* Generate a public key and corresponding master secret key.
*/
private static String curveParams = "type a\n"
+ "q 87807107996633125224377819847540498158068831994142082"
+ "1102865339926647563088022295707862517942266222142315585"
+ "8769582317459277713367317481324925129998224791\n"
+ "h 12016012264891146079388821366740534204802954401251311"
+ "822919615131047207289359704531102844802183906537786776\n"
+ "r 730750818665451621361119245571504901405976559617\n"
+ "exp2 159\n" + "exp1 107\n" + "sign1 1\n" + "sign0 1\n";
public static void setup(BswabePub pub, BswabeMsk msk) {
Element alpha, beta_inv;
CurveParameters params = new DefaultCurveParameters()
.load(new ByteArrayInputStream(curveParams.getBytes()));
pub.pairingDesc = curveParams;
pub.p = PairingFactory.getPairing(params);
Pairing pairing = pub.p;
pub.g = pairing.getG1().newElement();
pub.f = pairing.getG1().newElement();
pub.h = pairing.getG1().newElement();
pub.gp = pairing.getG2().newElement();
pub.g_hat_alpha = pairing.getGT().newElement();
alpha = pairing.getZr().newElement();
msk.beta = pairing.getZr().newElement();
msk.g_alpha = pairing.getG2().newElement();
alpha.setToRandom();
msk.beta.setToRandom();
pub.g.setToRandom();
pub.gp.setToRandom();
msk.g_alpha = pub.gp.duplicate();
msk.g_alpha.powZn(alpha);
beta_inv = msk.beta.duplicate();
beta_inv.invert();
pub.f = pub.g.duplicate();
pub.f.powZn(beta_inv);
pub.h = pub.g.duplicate();
96 | P a g e
pub.h.powZn(msk.beta);
pub.g_hat_alpha = pairing.pairing(pub.g, msk.g_alpha);
}
/*
* Generate a private key with the given set of attributes.
*/
public static BswabePrv keygen(BswabePub pub, BswabeMsk msk, String[] attrs)
throws NoSuchAlgorithmException {
BswabePrv prv = new BswabePrv();
Element g_r, r, beta_inv;
Pairing pairing;
/* initialize */
pairing = pub.p;
prv.d = pairing.getG2().newElement();
g_r = pairing.getG2().newElement();
r = pairing.getZr().newElement();
beta_inv = pairing.getZr().newElement();
/* compute */
r.setToRandom();
g_r = pub.gp.duplicate();
g_r.powZn(r);
prv.d = msk.g_alpha.duplicate();
prv.d.mul(g_r);
beta_inv = msk.beta.duplicate();
beta_inv.invert();
prv.d.powZn(beta_inv);
int i, len = attrs.length;
prv.comps = new ArrayList<BswabePrvComp>();
for (i = 0; i < len; i++) {
BswabePrvComp comp = new BswabePrvComp();
Element h_rp;
Element rp;
comp.attr = attrs[i];
comp.d = pairing.getG2().newElement();
comp.dp = pairing.getG1().newElement();
h_rp = pairing.getG2().newElement();
rp = pairing.getZr().newElement();
elementFromString(h_rp, comp.attr);
rp.setToRandom();
h_rp.powZn(rp);
comp.d = g_r.duplicate();
comp.d.mul(h_rp);
comp.dp = pub.g.duplicate();
comp.dp.powZn(rp);
prv.comps.add(comp);
}
return prv;
}
/*
* Delegate a subset of attribute of an existing private key.
*/
97 | P a g e
public static BswabePrv delegate(BswabePub pub, BswabePrv prv_src, String[]
attrs_subset)
throws NoSuchAlgorithmException, IllegalArgumentException {
BswabePrv prv = new BswabePrv();
Element g_rt, rt, f_at_rt;
Pairing pairing;
/* initialize */
pairing = pub.p;
prv.d = pairing.getG2().newElement();
g_rt = pairing.getG2().newElement();
rt = pairing.getZr().newElement();
f_at_rt = pairing.getZr().newElement();
/* compute */
rt.setToRandom();
f_at_rt = pub.f.duplicate();
f_at_rt.powZn(rt);
prv.d = prv_src.d.duplicate();
prv.d.mul(f_at_rt);
g_rt = pub.g.duplicate();
g_rt.powZn(rt);
int i, len = attrs_subset.length;
prv.comps = new ArrayList<BswabePrvComp>();
for (i = 0; i < len; i++) {
BswabePrvComp comp = new BswabePrvComp();
Element h_rtp;
Element rtp;
comp.attr = attrs_subset[i];
BswabePrvComp comp_src = new BswabePrvComp();
boolean comp_src_init = false;
for (int j = 0; j < prv_src.comps.size(); ++j) {
if (prv_src.comps.get(j).attr == comp.attr) {
comp_src = prv_src.comps.get(j);
comp_src_init = true;
break;
}
}
if (comp_src_init == false) {
throw new IllegalArgumentException("comp_src_init == false");
}
comp.d = pairing.getG2().newElement();
comp.dp = pairing.getG1().newElement();
h_rtp = pairing.getG2().newElement();
rtp = pairing.getZr().newElement();
elementFromString(h_rtp, comp.attr);
rtp.setToRandom();
h_rtp.powZn(rtp);
comp.d = g_rt.duplicate();
comp.d.mul(h_rtp);
comp.d.mul(comp_src.d);
comp.dp = pub.g.duplicate();
comp.dp.powZn(rtp);
98 | P a g e
comp.dp.mul(comp_src.dp);
prv.comps.add(comp);
}
return prv;
}
/*
* Pick a random group element and encrypt it under the specified access
* policy. The resulting ciphertext is returned and the Element given as an
* argument (which need not be initialized) is set to the random group
* element.
*
* After using this function, it is normal to extract the random data in m
* using the pbc functions element_length_in_bytes and element_to_bytes and
* use it as a key for hybrid encryption.
*
* The policy is specified as a simple string which encodes a postorder
* traversal of threshold tree defining the access policy. As an example,
*
* "foo bar fim 2of3 baf 1of2"
*
* specifies a policy with two threshold gates and four leaves. It is not
* possible to specify an attribute with whitespace in it (although "_" is
* allowed).
*
* Numerical attributes and any other fancy stuff are not supported.
*
* Returns null if an error occured, in which case a description can be
* retrieved by calling bswabe_error().
*/
public static BswabeCphKey enc(BswabePub pub, String policy)
throws Exception {
BswabeCphKey keyCph = new BswabeCphKey();
BswabeCph cph = new BswabeCph();
Element s, m;
/* initialize */
Pairing pairing = pub.p;
s = pairing.getZr().newElement();
m = pairing.getGT().newElement();
cph.cs = pairing.getGT().newElement();
cph.c = pairing.getG1().newElement();
cph.p = parsePolicyPostfix(policy);
/* compute */
m.setToRandom();
s.setToRandom();
cph.cs = pub.g_hat_alpha.duplicate();
cph.cs.powZn(s); /* num_exps++; */
cph.cs.mul(m); /* num_muls++; */
cph.c = pub.h.duplicate();
cph.c.powZn(s); /* num_exps++; */
99 | P a g e
fillPolicy(cph.p, pub, s);
keyCph.cph = cph;
keyCph.key = m;
return keyCph;
}
/*
* Decrypt the specified ciphertext using the given private key, filling in
* the provided element m (which need not be initialized) with the result.
*
* Returns true if decryption succeeded, false if this key does not satisfy
* the policy of the ciphertext (in which case m is unaltered).
*/
public static BswabeElementBoolean dec(BswabePub pub, BswabePrv prv,
BswabeCph cph) {
Element t;
Element m;
BswabeElementBoolean beb = new BswabeElementBoolean();
m = pub.p.getGT().newElement();
t = pub.p.getGT().newElement();
checkSatisfy(cph.p, prv);
if (!cph.p.satisfiable) {
System.err
.println("cannot decrypt, attributes in key do not
satisfy policy");
beb.e = null;
beb.b = false;
return beb;
}
pickSatisfyMinLeaves(cph.p, prv);
decFlatten(t, cph.p, prv, pub);
m = cph.cs.duplicate();
m.mul(t); /* num_muls++; */
t = pub.p.pairing(cph.c, prv.d);
t.invert();
m.mul(t); /* num_muls++; */
beb.e = m;
beb.b = true;
return beb;
}
private static void decFlatten(Element r, BswabePolicy p, BswabePrv prv,
BswabePub pub) {
Element one;
one = pub.p.getZr().newElement();
one.setToOne();
r.setToOne();
decNodeFlatten(r, one, p, prv, pub);
}
private static void decNodeFlatten(Element r, Element exp, BswabePolicy p,
BswabePrv prv, BswabePub pub) {
if (p.children == null || p.children.length == 0)
decLeafFlatten(r, exp, p, prv, pub);
100 | P a g e
else
decInternalFlatten(r, exp, p, prv, pub);
}
private static void decLeafFlatten(Element r, Element exp, BswabePolicy p,
BswabePrv prv, BswabePub pub) {
BswabePrvComp c;
Element s, t;
c = prv.comps.get(p.attri);
s = pub.p.getGT().newElement();
t = pub.p.getGT().newElement();
s = pub.p.pairing(p.c, c.d); /* num_pairings++; */
t = pub.p.pairing(p.cp, c.dp); /* num_pairings++; */
t.invert();
s.mul(t); /* num_muls++; */
s.powZn(exp); /* num_exps++; */
r.mul(s); /* num_muls++; */
}
private static void decInternalFlatten(Element r, Element exp,
BswabePolicy p, BswabePrv prv, BswabePub pub) {
int i;
Element t, expnew;
t = pub.p.getZr().newElement();
expnew = pub.p.getZr().newElement();
for (i = 0; i < p.satl.size(); i++) {
lagrangeCoef(t, p.satl, (p.satl.get(i)).intValue());
expnew = exp.duplicate();
expnew.mul(t);
decNodeFlatten(r, expnew, p.children[p.satl.get(i) - 1], prv, pub);
}
}
private static void lagrangeCoef(Element r, ArrayList<Integer> s, int i) {
int j, k;
Element t;
t = r.duplicate();
r.setToOne();
for (k = 0; k < s.size(); k++) {
j = s.get(k).intValue();
if (j == i)
continue;
t.set(-j);
r.mul(t); /* num_muls++; */
t.set(i - j);
t.invert();
r.mul(t); /* num_muls++; */
}
}
private static void pickSatisfyMinLeaves(BswabePolicy p, BswabePrv prv) {
int i, k, l, c_i;
int len;
ArrayList<Integer> c = new ArrayList<Integer>();
if (p.children == null || p.children.length == 0)
101 | P a g e
p.min_leaves = 1;
else {
len = p.children.length;
for (i = 0; i < len; i++)
if (p.children[i].satisfiable)
pickSatisfyMinLeaves(p.children[i], prv);
for (i = 0; i < len; i++)
c.add(new Integer(i));
Collections.sort(c, new IntegerComparator(p));
p.satl = new ArrayList<Integer>();
p.min_leaves = 0;
l = 0;
for (i = 0; i < len && l < p.k; i++) {
c_i = c.get(i).intValue(); /* c[i] */
if (p.children[c_i].satisfiable) {
l++;
p.min_leaves += p.children[c_i].min_leaves;
k = c_i + 1;
p.satl.add(new Integer(k));
}
}
}
}
private static void checkSatisfy(BswabePolicy p, BswabePrv prv) {
int i, l;
String prvAttr;
p.satisfiable = false;
if (p.children == null || p.children.length == 0) {
for (i = 0; i < prv.comps.size(); i++) {
prvAttr = prv.comps.get(i).attr;
// System.out.println("prvAtt:" + prvAttr);
// System.out.println("p.attr" + p.attr);
if (prvAttr.compareTo(p.attr) == 0) {
// System.out.println("=staisfy=");
p.satisfiable = true;
p.attri = i;
break;
}
}
} else {
for (i = 0; i < p.children.length; i++)
checkSatisfy(p.children[i], prv);
l = 0;
for (i = 0; i < p.children.length; i++)
if (p.children[i].satisfiable)
l++;
if (l >= p.k)
p.satisfiable = true;
}
}
private static void fillPolicy(BswabePolicy p, BswabePub pub, Element e)
102 | P a g e
throws NoSuchAlgorithmException {
int i;
Element r, t, h;
Pairing pairing = pub.p;
r = pairing.getZr().newElement();
t = pairing.getZr().newElement();
h = pairing.getG2().newElement();
p.q = randPoly(p.k - 1, e);
if (p.children == null || p.children.length == 0) {
p.c = pairing.getG1().newElement();
p.cp = pairing.getG2().newElement();
elementFromString(h, p.attr);
p.c = pub.g.duplicate();;
p.c.powZn(p.q.coef[0]);
p.cp = h.duplicate();
p.cp.powZn(p.q.coef[0]);
} else {
for (i = 0; i < p.children.length; i++) {
r.set(i + 1);
evalPoly(t, p.q, r);
fillPolicy(p.children[i], pub, t);
}
}
}
private static void evalPoly(Element r, BswabePolynomial q, Element x) {
int i;
Element s, t;
s = r.duplicate();
t = r.duplicate();
r.setToZero();
t.setToOne();
for (i = 0; i < q.deg + 1; i++) {
/* r += q->coef[i] * t */
s = q.coef[i].duplicate();
s.mul(t);
r.add(s);
/* t *= x */
t.mul(x);
}
}
private static BswabePolynomial randPoly(int deg, Element zeroVal) {
int i;
BswabePolynomial q = new BswabePolynomial();
q.deg = deg;
q.coef = new Element[deg + 1];
for (i = 0; i < deg + 1; i++)
q.coef[i] = zeroVal.duplicate();
q.coef[0].set(zeroVal);
for (i = 1; i < deg + 1; i++)
q.coef[i].setToRandom();
return q;
103 | P a g e
}
private static BswabePolicy parsePolicyPostfix(String s) throws Exception {
String[] toks;
String tok;
ArrayList<BswabePolicy> stack = new ArrayList<BswabePolicy>();
BswabePolicy root;
toks = s.split(" ");
int toks_cnt = toks.length;
for (int index = 0; index < toks_cnt; index++) {
int i, k, n;
tok = toks[index];
if (!tok.contains("of")) {
stack.add(baseNode(1, tok));
} else {
BswabePolicy node;
/* parse kof n node */
String[] k_n = tok.split("of");
k = Integer.parseInt(k_n[0]);
n = Integer.parseInt(k_n[1]);
if (k < 1) {
System.out.println("error parsing " + s
+ ": trivially satisfied operator " +
tok);
return null;
} else if (k > n) {
System.out.println("error parsing " + s
+ ": unsatisfiable operator " + tok);
return null;
} else if (n == 1) {
System.out.println("error parsing " + s
+ ": indentity operator " + tok);
return null;
} else if (n > stack.size()) {
System.out.println("error parsing " + s
+ ": stack underflow at " + tok);
return null;
}
/* pop n things and fill in children */
node = baseNode(k, null);
node.children = new BswabePolicy[n];
for (i = n - 1; i >= 0; i--)
node.children[i] = stack.remove(stack.size() - 1);
/* push result */
stack.add(node);
}
}
if (stack.size() > 1) {
System.out.println("error parsing " + s
+ ": extra node left on the stack");
return null;
} else if (stack.size() < 1) {
104 | P a g e
System.out.println("error parsing " + s + ": empty policy");
return null;
}
root = stack.get(0);
return root;
}
private static BswabePolicy baseNode(int k, String s) {
BswabePolicy p = new BswabePolicy();
p.k = k;
if (!(s == null))
p.attr = s;
else
p.attr = null;
p.q = null;
return p;
}
private static void elementFromString(Element h, String s)
throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] digest = md.digest(s.getBytes());
h.setFromHash(digest, 0, digest.length);
}
private static class IntegerComparator implements Comparator<Integer> {
BswabePolicy policy;
public IntegerComparator(BswabePolicy p) {
this.policy = p;
}
@Override
public int compare(Integer o1, Integer o2) {
int k, l;
k = policy.children[o1.intValue()].min_leaves;
l = policy.children[o2.intValue()].min_leaves;
return k < l ? -1 :
k == l ? 0 : 1;
}
}
}
105 | P a g e
abecph.java
import it.unisa.dia.gas.jpbc.Element;
public class BswabeCph {
/*
* A ciphertext. Note that this library only handles encrypting a single
* group element, so if you want to encrypt something bigger, you will have
* to use that group element as a symmetric key for hybrid encryption (which
* you do yourself).
*/
public Element cs; /* G_T */
public Element c; /* G_1 */
public BswabePolicy p;
}
abecphKey.java
import it.unisa.dia.gas.jpbc.Element;
public class BswabeCphKey {
/*
* This class is defined for some classes who return both cph and key.
*/
public BswabeCph cph;
public Element key;
}
abeElementBoolean.java
import it.unisa.dia.gas.jpbc.Element;
public class BswabeElementBoolean {
/*
* This class is defined for some classes who return both boolean and
* Element.
*/
public Element e;
public boolean b;
}
106 | P a g e
abeMsk.java
import it.unisa.dia.gas.jpbc.Element;
public class BswabeMsk {
/*
* A master secret key
*/
public Element beta; /* Z_r */
public Element g_alpha; /* G_2 */
}
abePolicy.java
import java.util.ArrayList;
import it.unisa.dia.gas.jpbc.Element;
public class BswabePolicy {
/* serialized */
/* k=1 if leaf, otherwise threshould */
int k;
/* attribute string if leaf, otherwise null */
String attr;
Element c; /* G_1 only for leaves */
Element cp; /* G_1 only for leaves */
/* array of BswabePolicy and length is 0 for leaves */
BswabePolicy[] children;
/* only used during encryption */
BswabePolynomial q;
/* only used during decription */
boolean satisfiable;
int min_leaves;
int attri;
ArrayList<Integer> satl = new ArrayList<Integer>();
}
abePolynomial.java import it.unisa.dia.gas.jpbc.Element;
public class BswabePolynomial {
int deg;
/* coefficients from [0] x^0 to [deg] x^deg */
Element[] coef; /* G_T (of length deg+1) */
}
107 | P a g e
abePrv.java
import java.util.ArrayList;
import it.unisa.dia.gas.jpbc.Element;
public class BswabePrv {
/*
* A private key
*/
Element d; /* G_2 */
ArrayList<BswabePrvComp> comps; /* BswabePrvComp */
}
abePrvComp.java
import it.unisa.dia.gas.jpbc.Element;
public class BswabePrvComp {
/* these actually get serialized */
String attr;
Element d; /* G_2 */
Element dp; /* G_2 */
/* only used during dec */
int used;
Element z; /* G_1 */
Element zp; /* G_1 */
}
abePub.java
import it.unisa.dia.gas.jpbc.Element;
import it.unisa.dia.gas.jpbc.Pairing;
public class BswabePub{
/*
* A public key
*/
public String pairingDesc;
public Pairing p;
public Element g; /* G_1 */
public Element h; /* G_1 */
public Element f; /* G_1 */
public Element gp; /* G_2 */
public Element g_hat_alpha; /* G_T */
}
108 | P a g e
SerializeUtils.java
import it.unisa.dia.gas.jpbc.CurveParameters;
import it.unisa.dia.gas.jpbc.Element;
import it.unisa.dia.gas.jpbc.Pairing;
import it.unisa.dia.gas.plaf.jpbc.pairing.DefaultCurveParameters;
import it.unisa.dia.gas.plaf.jpbc.pairing.PairingFactory;
import java.io.ByteArrayInputStream;
import java.util.ArrayList;
public class SerializeUtils {
/* Method has been test okay */
public static void serializeElement(ArrayList<Byte> arrlist, Element e) {
byte[] arr_e = e.toBytes();
serializeUint32(arrlist, arr_e.length);
byteArrListAppend(arrlist, arr_e);
}
/* Method has been test okay */
public static int unserializeElement(byte[] arr, int offset, Element e) {
int len;
int i;
byte[] e_byte;
len = unserializeUint32(arr, offset);
e_byte = new byte[(int) len];
offset += 4;
for (i = 0; i < len; i++)
e_byte[i] = arr[offset + i];
e.setFromBytes(e_byte);
return (int) (offset + len);
}
public static void serializeString(ArrayList<Byte> arrlist, String s) {
byte[] b = s.getBytes();
serializeUint32(arrlist, b.length);
byteArrListAppend(arrlist, b);
}
/*
* Usage:
*
* StringBuffer sb = new StringBuffer("");
*
* offset = unserializeString(arr, offset, sb);
*
* String str = sb.substring(0);
*/
public static int unserializeString(byte[] arr, int offset, StringBuffer sb) {
int i;
int len;
byte[] str_byte;
len = unserializeUint32(arr, offset);
offset += 4;
str_byte = new byte[len];
109 | P a g e
for (i = 0; i < len; i++)
str_byte[i] = arr[offset + i];
sb.append(new String(str_byte));
return offset + len;
}
public static byte[] serializeBswabePub(BswabePub pub) {
ArrayList<Byte> arrlist = new ArrayList<Byte>();
serializeString(arrlist, pub.pairingDesc);
serializeElement(arrlist, pub.g);
serializeElement(arrlist, pub.h);
serializeElement(arrlist, pub.gp);
serializeElement(arrlist, pub.g_hat_alpha);
return Byte_arr2byte_arr(arrlist);
}
public static BswabePub unserializeBswabePub(byte[] b) {
BswabePub pub;
int offset;
pub = new BswabePub();
offset = 0;
StringBuffer sb = new StringBuffer("");
offset = unserializeString(b, offset, sb);
pub.pairingDesc = sb.substring(0);
CurveParameters params = new DefaultCurveParameters()
.load(new ByteArrayInputStream(pub.pairingDesc.getBytes()));
pub.p = PairingFactory.getPairing(params);
Pairing pairing = pub.p;
pub.g = pairing.getG1().newElement();
pub.h = pairing.getG1().newElement();
pub.gp = pairing.getG2().newElement();
pub.g_hat_alpha = pairing.getGT().newElement();
offset = unserializeElement(b, offset, pub.g);
offset = unserializeElement(b, offset, pub.h);
offset = unserializeElement(b, offset, pub.gp);
offset = unserializeElement(b, offset, pub.g_hat_alpha);
return pub;
}
/* Method has been test okay */
public static byte[] serializeBswabeMsk(BswabeMsk msk) {
ArrayList<Byte> arrlist = new ArrayList<Byte>();
serializeElement(arrlist, msk.beta);
serializeElement(arrlist, msk.g_alpha);
110 | P a g e
return Byte_arr2byte_arr(arrlist);
}
/* Method has been test okay */
public static BswabeMsk unserializeBswabeMsk(BswabePub pub, byte[] b) {
int offset = 0;
BswabeMsk msk = new BswabeMsk();
msk.beta = pub.p.getZr().newElement();
msk.g_alpha = pub.p.getG2().newElement();
offset = unserializeElement(b, offset, msk.beta);
offset = unserializeElement(b, offset, msk.g_alpha);
return msk;
}
/* Method has been test okay */
public static byte[] serializeBswabePrv(BswabePrv prv) {
ArrayList<Byte> arrlist;
int prvCompsLen, i;
arrlist = new ArrayList<Byte>();
prvCompsLen = prv.comps.size();
serializeElement(arrlist, prv.d);
serializeUint32(arrlist, prvCompsLen);
for (i = 0; i < prvCompsLen; i++) {
serializeString(arrlist, prv.comps.get(i).attr);
serializeElement(arrlist, prv.comps.get(i).d);
serializeElement(arrlist, prv.comps.get(i).dp);
}
return Byte_arr2byte_arr(arrlist);
}
/* Method has been test okay */
public static BswabePrv unserializeBswabePrv(BswabePub pub, byte[] b) {
BswabePrv prv;
int i, offset, len;
prv = new BswabePrv();
offset = 0;
prv.d = pub.p.getG2().newElement();
offset = unserializeElement(b, offset, prv.d);
prv.comps = new ArrayList<BswabePrvComp>();
len = unserializeUint32(b, offset);
offset += 4;
for (i = 0; i < len; i++) {
BswabePrvComp c = new BswabePrvComp();
111 | P a g e
StringBuffer sb = new StringBuffer("");
offset = unserializeString(b, offset, sb);
c.attr = sb.substring(0);
c.d = pub.p.getG2().newElement();
c.dp = pub.p.getG2().newElement();
offset = unserializeElement(b, offset, c.d);
offset = unserializeElement(b, offset, c.dp);
prv.comps.add(c);
}
return prv;
}
public static byte[] bswabeCphSerialize(BswabeCph cph) {
ArrayList<Byte> arrlist = new ArrayList<Byte>();
SerializeUtils.serializeElement(arrlist, cph.cs);
SerializeUtils.serializeElement(arrlist, cph.c);
SerializeUtils.serializePolicy(arrlist, cph.p);
return Byte_arr2byte_arr(arrlist);
}
public static BswabeCph bswabeCphUnserialize(BswabePub pub, byte[] cphBuf) {
BswabeCph cph = new BswabeCph();
int offset = 0;
int[] offset_arr = new int[1];
cph.cs = pub.p.getGT().newElement();
cph.c = pub.p.getG1().newElement();
offset = SerializeUtils.unserializeElement(cphBuf, offset, cph.cs);
offset = SerializeUtils.unserializeElement(cphBuf, offset, cph.c);
offset_arr[0] = offset;
cph.p = SerializeUtils.unserializePolicy(pub, cphBuf, offset_arr);
offset = offset_arr[0];
return cph;
}
/* Method has been test okay */
/* potential problem: the number to be serialize is less than 2^31 */
private static void serializeUint32(ArrayList<Byte> arrlist, int k) {
int i;
byte b;
for (i = 3; i >= 0; i--) {
b = (byte) ((k & (0x000000ff << (i * 8))) >> (i * 8));
arrlist.add(Byte.valueOf(b));
}
}
/*
* Usage:
*
* You have to do offset+=4 after call this method
112 | P a g e
*/
/* Method has been test okay */
private static int unserializeUint32(byte[] arr, int offset) {
int i;
int r = 0;
for (i = 3; i >= 0; i--)
r |= (byte2int(arr[offset++])) << (i * 8);
return r;
}
private static void serializePolicy(ArrayList<Byte> arrlist, BswabePolicy p) {
serializeUint32(arrlist, p.k);
if (p.children == null || p.children.length == 0) {
serializeUint32(arrlist, 0);
serializeString(arrlist, p.attr);
serializeElement(arrlist, p.c);
serializeElement(arrlist, p.cp);
} else {
serializeUint32(arrlist, p.children.length);
for (int i = 0; i < p.children.length; i++)
serializePolicy(arrlist, p.children[i]);
}
}
private static BswabePolicy unserializePolicy(BswabePub pub, byte[] arr,
int[] offset) {
int i;
int n;
BswabePolicy p = new BswabePolicy();
p.k = unserializeUint32(arr, offset[0]);
offset[0] += 4;
p.attr = null;
/* children */
n = unserializeUint32(arr, offset[0]);
offset[0] += 4;
if (n == 0) {
p.children = null;
StringBuffer sb = new StringBuffer("");
offset[0] = unserializeString(arr, offset[0], sb);
p.attr = sb.substring(0);
p.c = pub.p.getG1().newElement();
p.cp = pub.p.getG1().newElement();
offset[0] = unserializeElement(arr, offset[0], p.c);
offset[0] = unserializeElement(arr, offset[0], p.cp);
} else {
p.children = new BswabePolicy[n];
for (i = 0; i < n; i++)
113 | P a g e
p.children[i] = unserializePolicy(pub, arr, offset);
}
return p;
}
private static int byte2int(byte b) {
if (b >= 0)
return b;
return (256 + b);
}
private static void byteArrListAppend(ArrayList<Byte> arrlist, byte[] b) {
int len = b.length;
for (int i = 0; i < len; i++)
arrlist.add(Byte.valueOf(b[i]));
}
private static byte[] Byte_arr2byte_arr(ArrayList<Byte> B) {
int len = B.size();
byte[] b = new byte[len];
for (int i = 0; i < len; i++)
b[i] = B.get(i).byteValue();
return b;
}
}
Policy.java
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.StringTokenizer;
public class LangPolicy {
public static String[] parseAttribute(String s) {
ArrayList<String> str_arr = new ArrayList<String>();
StringTokenizer st = new StringTokenizer(s);
String token;
String res[];
int len;
while (st.hasMoreTokens()) {
token = st.nextToken();
if (token.contains(":")) {
str_arr.add(token);
} else {
System.out.println("Some error happens in the input
114 | P a g e
attribute");
System.exit(0);
}
}
Collections.sort(str_arr, new SortByAlphabetic());
len = str_arr.size();
res = new String[len];
for (int i = 0; i < len; i++)
res[i] = str_arr.get(i);
return res;
}
public static void main(String[] args) {
String attr = "objectClass:inetOrgPerson objectClass:organizationalPerson "
+ "sn:student2 cn:student2 uid:student2 userPassword:student2
"
+ "ou:idp o:computer mail:[email protected] title:student";
String[] arr = parseAttribute(attr);
for (int i = 0; i < arr.length; i++)
System.out.println(arr[i]);
}
static class SortByAlphabetic implements Comparator<String> {
@Override
public int compare(String s1, String s2) {
if (s1.compareTo(s2) >= 0)
return 1;
return 0;
}
}
}
AESCoder.java
import java.security.SecureRandom;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
public class AESCoder {
private static byte[] getRawKey(byte[] seed) throws Exception {
KeyGenerator kgen = KeyGenerator.getInstance("AES");
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
sr.setSeed(seed);
kgen.init(128, sr); // 192 and 256 bits may not be available
SecretKey skey = kgen.generateKey();
byte[] raw = skey.getEncoded();
return raw;
}
public static byte[] encrypt(byte[] seed, byte[] plaintext)
throws Exception {
115 | P a g e
byte[] raw = getRawKey(seed);
SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
byte[] encrypted = cipher.doFinal(plaintext);
return encrypted;
}
public static byte[] decrypt(byte[] seed, byte[] ciphertext)
throws Exception {
byte[] raw = getRawKey(seed);
SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, skeySpec);
byte[] decrypted = cipher.doFinal(ciphertext);
return decrypted;
}
}
Common.java
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
public class Common {
/* read byte[] from inputfile */
public static byte[] suckFile(String inputfile) throws IOException {
InputStream is = new FileInputStream(inputfile);
int size = is.available();
byte[] content = new byte[size];
is.read(content);
is.close();
return content;
}
/* write byte[] into outputfile */
public static void spitFile(String outputfile, byte[] b) throws IOException {
OutputStream os = new FileOutputStream(outputfile);
os.write(b);
os.close();
}
public static void writeCpabeFile(String encfile,
byte[] cphBuf, byte[] aesBuf) throws IOException {
int i;
OutputStream os = new FileOutputStream(encfile);
116 | P a g e
/* write aes_buf */
for (i = 3; i >= 0; i--)
os.write(((aesBuf.length & (0xff << 8 * i)) >> 8 * i));
os.write(aesBuf);
/* write cph_buf */
for (i = 3; i >= 0; i--)
os.write(((cphBuf.length & (0xff << 8 * i)) >> 8 * i));
os.write(cphBuf);
os.close();
}
public static byte[][] readCpabeFile(String encfile) throws IOException {
int i, len;
InputStream is = new FileInputStream(encfile);
byte[][] res = new byte[2][];
byte[] aesBuf, cphBuf;
/* read aes buf */
len = 0;
for (i = 3; i >= 0; i--)
len |= is.read() << (i * 8);
aesBuf = new byte[len];
is.read(aesBuf);
/* read cph buf */
len = 0;
for (i = 3; i >= 0; i--)
len |= is.read() << (i * 8);
cphBuf = new byte[len];
is.read(cphBuf);
is.close();
res[0] = aesBuf;
res[1] = cphBuf;
return res;
}
/**
* Return a ByteArrayOutputStream instead of writing to a file
*/
public static ByteArrayOutputStream writeCpabeData(byte[] mBuf,
byte[] cphBuf, byte[] aesBuf) throws IOException {
int i;
ByteArrayOutputStream os = new ByteArrayOutputStream();
/* write m_buf */
for (i = 3; i >= 0; i--)
os.write(((mBuf.length & (0xff << 8 * i)) >> 8 * i));
os.write(mBuf);
/* write aes_buf */
for (i = 3; i >= 0; i--)
os.write(((aesBuf.length & (0xff << 8 * i)) >> 8 * i));
os.write(aesBuf);
/* write cph_buf */
for (i = 3; i >= 0; i--)
os.write(((cphBuf.length & (0xff << 8 * i)) >> 8 * i));
os.write(cphBuf);
117 | P a g e
os.close();
return os;
}
/**
* Read data from an InputStream instead of taking it from a file.
*/
public static byte[][] readCpabeData(InputStream is) throws IOException {
int i, len;
byte[][] res = new byte[3][];
byte[] mBuf, aesBuf, cphBuf;
/* read m buf */
len = 0;
for (i = 3; i >= 0; i--)
len |= is.read() << (i * 8);
mBuf = new byte[len];
is.read(mBuf);
/* read aes buf */
len = 0;
for (i = 3; i >= 0; i--)
len |= is.read() << (i * 8);
aesBuf = new byte[len];
is.read(aesBuf);
/* read cph buf */
len = 0;
for (i = 3; i >= 0; i--)
len |= is.read() << (i * 8);
cphBuf = new byte[len];
is.read(cphBuf);
is.close();
res[0] = aesBuf;
res[1] = cphBuf;
res[2] = mBuf;
return res;
}
}
118 | P a g e
Cpabe.java
import it.unisa.dia.gas.jpbc.Element;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import cpabe.policy.LangPolicy;
import bswabe.Bswabe;
import bswabe.BswabeCph;
import bswabe.BswabeCphKey;
import bswabe.BswabeElementBoolean;
import bswabe.BswabeMsk;
import bswabe.BswabePrv;
import bswabe.BswabePub;
import bswabe.SerializeUtils;
public class Cpabe {
/**
* @param args
* @author Junwei Wang([email protected])
*/
public void setup(String pubfile, String mskfile) throws IOException,
ClassNotFoundException {
byte[] pub_byte, msk_byte;
BswabePub pub = new BswabePub();
BswabeMsk msk = new BswabeMsk();
Bswabe.setup(pub, msk);
/* store BswabePub into mskfile */
pub_byte = SerializeUtils.serializeBswabePub(pub);
Common.spitFile(pubfile, pub_byte);
/* store BswabeMsk into mskfile */
msk_byte = SerializeUtils.serializeBswabeMsk(msk);
Common.spitFile(mskfile, msk_byte);
}
public void keygen(String pubfile, String prvfile, String mskfile,
String attr_str) throws NoSuchAlgorithmException, IOException {
BswabePub pub;
BswabeMsk msk;
byte[] pub_byte, msk_byte, prv_byte;
/* get BswabePub from pubfile */
pub_byte = Common.suckFile(pubfile);
pub = SerializeUtils.unserializeBswabePub(pub_byte);
/* get BswabeMsk from mskfile */
msk_byte = Common.suckFile(mskfile);
msk = SerializeUtils.unserializeBswabeMsk(pub, msk_byte);
String[] attr_arr = LangPolicy.parseAttribute(attr_str);
BswabePrv prv = Bswabe.keygen(pub, msk, attr_arr);
/* store BswabePrv into prvfile */
prv_byte = SerializeUtils.serializeBswabePrv(prv);
Common.spitFile(prvfile, prv_byte);
}
public void enc(String pubfile, String policy, String inputfile,
String encfile) throws Exception {
119 | P a g e
BswabePub pub;
BswabeCph cph;
BswabeCphKey keyCph;
byte[] plt;
byte[] cphBuf;
byte[] aesBuf;
byte[] pub_byte;
Element m;
/* get BswabePub from pubfile */
pub_byte = Common.suckFile(pubfile);
pub = SerializeUtils.unserializeBswabePub(pub_byte);
keyCph = Bswabe.enc(pub, policy);
cph = keyCph.cph;
m = keyCph.key;
System.err.println("m = " + m.toString());
if (cph == null) {
System.out.println("Error happed in enc");
System.exit(0);
}
cphBuf = SerializeUtils.bswabeCphSerialize(cph);
/* read file to encrypted */
plt = Common.suckFile(inputfile);
aesBuf = AESCoder.encrypt(m.toBytes(), plt);
// PrintArr("element: ", m.toBytes());
Common.writeCpabeFile(encfile, cphBuf, aesBuf);
}
public void dec(String pubfile, String prvfile, String encfile,
String decfile) throws Exception {
byte[] aesBuf, cphBuf;
byte[] plt;
byte[] prv_byte;
byte[] pub_byte;
byte[][] tmp;
BswabeCph cph;
BswabePrv prv;
BswabePub pub;
/* get BswabePub from pubfile */
pub_byte = Common.suckFile(pubfile);
pub = SerializeUtils.unserializeBswabePub(pub_byte);
/* read ciphertext */
tmp = Common.readCpabeFile(encfile);
aesBuf = tmp[0];
cphBuf = tmp[1];
cph = SerializeUtils.bswabeCphUnserialize(pub, cphBuf);
/* get BswabePrv form prvfile */
prv_byte = Common.suckFile(prvfile);
prv = SerializeUtils.unserializeBswabePrv(pub, prv_byte);
BswabeElementBoolean beb = Bswabe.dec(pub, prv, cph);
System.err.println("e = " + beb.e.toString());
if (beb.b) {
plt = AESCoder.decrypt(beb.e.toBytes(), aesBuf);
120 | P a g e
Common.spitFile(decfile, plt);
} else {
System.exit(0);
}
}
}
Demo.java
import bswabe.BswabeCph;
import bswabe.BswabeCphKey;
import bswabe.BswabeElementBoolean;
import bswabe.BswabeMsk;
import bswabe.BswabePrv;
import bswabe.BswabePub;
public class DemoForBswabe {
final static boolean DEBUG = true;
final static String inputfile = "file_dir/input.txt";
final static String encfile = "file_dir/input.txt.cpabe";
final static String decfile = "file_dir/input.txt.new";
/* come test data, choose attr and policy */
/* TODO attr is alphabetic order */
static String[] attr = { "baf", "fim1", "fim", "foo" };
static String[] attr_delegate_ok = {"fim", "foo"};
static String[] attr_delegate_ko = {"fim"};
static String policy = "foo bar fim 2of3 baf 1of2";
public static void main(String[] args) throws Exception {
BswabePub pub = new BswabePub();
BswabeMsk msk = new BswabeMsk();
BswabePrv prv, prv_delegate_ok, prv_delegate_ko;
BswabeCph cph;
BswabeElementBoolean result;
//attr = attr_kevin;
//attr = attr_sara;
//policy = policy_kevin_or_sara;
println("//demo for bswabe: start to setup");
Bswabe.setup(pub, msk);
println("//demo for bswabe: end to setup");
println("\n//demo for bswabe: start to keygen");
prv = Bswabe.keygen(pub, msk, attr);
println("//demo for bswabe: end to keygen");
println("\n//demo for bswabe: start to delegate_ok");
prv_delegate_ok = Bswabe.delegate(pub, prv, attr_delegate_ok);
println("//demo for bswabe: end to delegate_ok");
println("\n//demo for bswabe: start to delegate_ko");
prv_delegate_ko = Bswabe.delegate(pub, prv, attr_delegate_ko);
println("//demo for bswabe: end to delegate_ko");
println("\n//demo for bswabe: start to enc");
BswabeCphKey crypted = Bswabe.enc(pub, policy);
121 | P a g e
cph = crypted.cph;
println("//demo for bswabe: end to enc");
println("\n//demo for bswabe: start to dec");
result = Bswabe.dec(pub, prv, cph);
println("//demo for bswabe: end to dec");
if ((result.b == true) && (result.e.equals(crypted.key) == true))
System.out.println("succeed in decrypt");
else
System.err.println("failed to decrypting");
println("\n//demo for bswabe: start to dec with ok delegated key");
result = Bswabe.dec(pub, prv_delegate_ok, cph);
println("//demo for bswabe: end to dec with ok delegated key");
if ((result.b == true) && (result.e.equals(crypted.key) == true))
System.out.println("succeed in decrypt with ok delegated key");
else
System.err.println("failed to decrypting with ok delegated key");
println("\n//demo for bswabe: start to dec");
result = Bswabe.dec(pub, prv, cph);
println("//demo for bswabe: end to dec");
if ((result.b == true) && (result.e.equals(crypted.key) == true))
System.out.println("succeed in decrypt");
else
System.err.println("failed to decrypting");
println("\n//demo for bswabe: start to dec with ko delegated key");
result = Bswabe.dec(pub, prv_delegate_ko, cph);
println("//demo for bswabe: end to dec with ko delegated key");
if ((result.b == true) && (result.e.equals(crypted.key) == true))
System.err.println("succeed in decrypt with ko delegated key (should not
happen)");
else
System.out.println("failed to decrypting with ko delegated key");
}
private static void println(Object o) {
if (DEBUG)
System.out.println(o);
}
}
