Flexible Authorization by Generating Public Re-decryption Trapdoor in Outsourced Scenarios

Yang ZHANG and Jun-Liang CHEN State Key laboratory of Networking and Switching Technology,

Beijing University of Posts & Telecommunications, Beijing 100876, China

YangZhang@bupt.edu.cn

Abstract—With the rapid application of service-oriented technologies, service and data outsourcing has become a practical and useful computing paradigm. Combined use of access control and cryptography was proposed by many researchers to protect sensitive information in this outsourcing scenario. However, the rigid combination in existing approaches has difficulty in satisfying the flexibility requirement of access control for diverse applications. In this paper, we propose a flexible authorization by generating public re-decryption trapdoor. The features of our solution are as follows: simple key management without the need of key derivation for users to decrypt ciphertexts; grouping users during authorization to reduce management workload; composing conditions for accessing new resources without generating new keys if the re-encryption keys for atomic conditions have been produced. Keywords—Outsourced Data Service, Access Control, Proxy Re-encryption Scheme.

I. INTRODUCTION�When cloud services become popular on the Internet, users are more and more resorting to service providers for publishing resources shared with others. Service providers are requested to realize data and service outsourcing architecture on a wide scale. Their basic assumption that service providers have complete access to the stored resources is not applicable for all actual scenarios such as outsourcing sensitive data. Current solutions adopt encryption techniques instead of the legal protection offered by contracts when enforcing access control, i.e., the data owner encrypts data, sends ciphertexts to the service providers for storage, and distributes the corresponding key to authorized users [1], [2], [3],[4],[9].

In this paper, we propose a new access control solution to solve the above problems. Being similar to the work of [16], we also adopt the proxy re-encryption scheme as the corner stone. Nevertheless, this situation is hard for traditional PRE to tackle. Conditional proxy re-encryption (C-PRE) [5], [6] concept was introduced to partly address this problem, where ciphertexts were generated under a certain condition, and the proxy can translate a ciphertext only if the associated condition was satisfied. Libert and Vergnaud [7] further considered C-PRE without assuming registered public keys. Although C-PRE is a good starting for designing access control solution in outsourcing scenarios, implanting condition in ciphertexts implies authorization during encryption in existing C-PRE schemes, which makes that, besides the rigid authorization, the users with different conditions cannot be granted privilege to access the encrypted resources, and the flexibility of access control is lost. Therefore, we improve the C-PRE scheme in [8] with postponing binding ciphertexts with authorization procedure, and allows for appropriately separating authorization from encryption.

II. CORE IDEAA. Attribute Matrix and Access Matrix

�ww�� valuename ,

R

� Supported by National Grand Fundamental Research 973 Program of China under Grant No. 2011CB302500

In open environments, service requesters are not identified by unique names, but depend upon their attributes to gain accesses to resources. An attribute-based access control system can specify fine-grained protection requirements, and support traditional access control models such as ACL, MAC, and RBAC. Therefore, it is also adopted in our solution. We will use simple matrix to specify our core idea. The attributes of user i are presented as {where j is the attribute such as jj .The relationship between the attributes and users can be represented as Table 1. One row describes that what users have this attribute. Digital “1” in the matrix means the customer in the column has the attribute value in the row.

u },, 21w th-j

We use an access matrix to represent an authorization policy. Table 2 is such an example. In the access matrix,

and denote as the indicators of sensitive resource, 1 and 2 denote as customer’s attribute value, and

digital “1” in the matrix means the customer who has the attribute value in the row has right to access the resource in the column.

1R 2Rw w

The indicators of sensitive resource i can be regarded as the resource attribute, the index of the resource, or its location. B. Binding Re-encryption Key to Access Matrix Participants in our solution include a data owner A , a

data outsourcee P , and a customer .B A encrypts her sensitive data and sends it to P .P stores and manages these encrypted data. accesses some parts of these data.

B

RA sensitive resource i is encrypted by A using her public key. The corresponding ciphertext i is stored in the data outsourcee

CTP . Ciphertext

Table is as Table 3. If a customer requests to access the resource

i ,R P finds the corresponding ciphertext i according to the indicator .

CTR

urekey

w

rekey wlu CTw

CT CT

iEach user l obtains a

re-encryption key lk , for her each attribute k . The attribute matrix Table 1 will be transformed into the re-encryption key Table 4. A user’s attribute is represented by a re-encryption key in our

solution. From table 3 and table 4, we can know that a

re-encryption key lk , is bound to an attribute k and a user , but a ciphertext i is not bound to the attribute k . The re-encryption key lkrekey , cannot be used to directly re-encrypt the ciphertext i , and i isindependently from the re-encryption key managed by the

1u u2

1w 1 02w 1 1

Table 1. Attribute Matrix 1R 2R

1w 1 12w 0 1

Table 2. Access Matrix Res 1R 2RCip 1CT 2CT

Table 3. Ciphertext Table 1u 2u

1w 1,1rk 0

2w 1,2rk 2,2rk

Table 4. Rekey Table 1CT 2CT

1w 1,1pr 2,1pr

2w 0 2,2pr

Table 5. Privilege Table

2011 IEEE 4th International Conference on Cloud Computing

978-0-7695-4460-1/11 $26.00 © 2011 IEEE

DOI 10.1109/CLOUD.2011.87

760

data outsourcee P . How to authorize access privilege to a user under this circumvents?

We can transform the access matrix Table 1 into a privilege matrix Table 5, where the privilege-value is some cryptographic trapdoor. If a customer with an attribute has rights to access the resource i , the owner

jwR A

calculates a privilege-value ij , according to the ciphertext i , attribute j , and

privCT w A ’s secret key. We

emphasizes that the privilege-value is based on ciphertext, and combines the authorization with encryption. After the privilege-value is published, the data outsourcee ijpriv ,P can use the re-encryption key lj , to re-encrypt the ciphertext i into the customer l ’s ciphertext

rekeyCT u �

iunder l ’s public key if lu has the attribute j and requests to access the resource i . Thus, can decrypt � to get using her private key.

CTu w

R lui iFrom table 3, 4, 5, we can conclude that the

re-encryption key represents a user’s attribute and can be produced in advance; the privilege-value links ciphertexts and attributes and can be computed on-demand; the attribute is a bridge between the privilege-value and re-encryption key. Therefore, the authorization can be realized by the assignment of the privilege-value, which translates an authorization policy into an encryption operation.

CT R

III. Flexible Authorization A. Condition-separated PRE CS-PRE consists of eight algorithms as follows: 1. : On input a security parameter 1 , the setup algorithm outputs a public parameter .

)

w,

rkCTReEnc

(Setup k1 k

param2. : On input , outputs a public/private key pair for user u .

am)KeyGen(par param)sk,(pk ii i

3. ji : Given i , j and the condition of user u , outputs a re-encryption key .

)pk,w,sk(RekeyGen sk pkj ji

w�4. i : On input and a message ,

outputs an original ciphertext .

rkm)Enc(pk ipk Mm�

iCT5.

jii w�

: Given a ji

w�

, i for iu , outputs a re-encryption ciphertext for or error

),( rk CTre jCT u � .

6. ii : i calculates the privilege-value )sk,w,CTGenPriv( upriv by . outputs iCT priv for u to access CT .j i

7. : Given i , i for user , outputs a message or the error symbol .

)sk,CT(DecMm�

ii sk CT iu�

8. ijre : Given j ,)pk,sk,priv,CT(DecRe sk priv and a for u , outputs a message or .re

B. ReAC CT j Mm� �

In our solution, each participant lies in her own security domain such as owner domain, outsourcing domain and customer domain. The owner A acts as an authorization provider which grants privileges to customers and generates

re-encryption keys. The authorization provider may be controlled by the owner or by the third trusted party who provides it as a service. The outsourcee P , an encryption policy (EP) enforcer, enforces encryption policies, i.e., verifying authorization proofs, re-encrypting the outsourced resources with security tokens. The customer requests B

A to grant some privileges to access sensitive resource and reads sensitive resource stored in P .

Figure 1 illustrates the architecture of the access control solution. The authorization provider consists of an authorization center entity, a bulletin service, and a rekey service. The authorization center generates and manages authorization policies. The rekey service uses the rekey algorithm to generate re-encryption keys according to authorization policies, and secretly provides them to the EP enforcer. The bulletin service uses the translator algorithm to generate privilege-value, publishes the generated privilege-value and authorization goal, and provides some authorization witness to customers. The EP enforcer consists of a data service, a proof verifier entity, and tokens storage entity. The data service manages the encrypted sensitive resources, and re-encrypts them when providing data to customers. The proof verifier verifies the access requests by logic inference. Token storage stores re-encryption keys or caches others such as some privilege values or an authorization goal. In customer domain, there are two primary entities. The proof constructor constructs a proof sequence according to a customer’s intention. The authorization prover interacts with the proof verifier to prove she has rights to access the sensitive resource.

The followings are some description of Fig. 1 in order: - Preparative phase. A encrypt sensitive resources,

and sends them to P . P uses the data service to store and manage the encrypted sensitive resources.

- Step 1. The authorization provider generates re-encryption keys according to authorization policies.

- Step 2. The authorization provider secretly provides the re-encryption keys to the EP enforcer.

- Step 3. According to the authorization policies, the authorization provider generates the privilege value and authorization goal.

- Step 4. When she intends accessing some resource, a customer requests the witness to construct a proof.

- Step 5. The customer interacts with the EP enforcer to prove privilege and get the resource. she retrieves the privilege value from the bulletin service to decrypt it.

- Step 6. The proof verifier requests the data service to re-encrypt the specified resource.

- Step 7. The data service retrieves the re-encryption keys to re-encrypt the encrypted resource.

REFERENCES [1] A. Ceselli, E. Damiani, S. De Capitani di Vimercati, S. Jajodia, S.

Paraboschi, and P. Samarati. Modeling and assessing inference exposure in encrypted databases. ACM Trans. on Information and System Security 8, 1, pp. 119-152, 2005.

[2] H. Hacigumus, B. Iyer, and S. Mehrotra. Providing database as a service. In Proc. of ICDE'02. IEEE Computer Society, Washington, pp. 29-39, 2002.

Figure 1. The Architecture of ReAC

5. Access

EP

Enforce

Proof Verifier

Data Service

e

6

Au Provider

Customer

Domain

1. Rekey Algorithm

Tokens

Storage

Bulletin

ServiceRekey

Service

1

2

7

Authorization

Center

3. Translator

4. Authorization

Proof

ConstructorAuthorization

Prover

[3] H. Hacigumus, B. Iyer, and S. Mehrotra, and C. Li . Executing SQLover encrypted data in the database-service-provider model. In Proc.of ACM SIGMOD'02. ACM, New York, pp. 216-227, 2002.

[4] S. De Capitani di Vimercati, S. Foresti, S. Jajodia. PreservingConfidentiality of Security Policies in Data Outsourcing.Proceedings of the 7th ACM workshop on Privacy in the electronic society, pp. 75-84, 2008.

[5] Q. Tang. Type-based proxy re-encryption and its construction. InProc. of Indocrypt’08, pp. 130-144. Springer-Verlag, December2008.

[6] J. Weng, R. H. Deng, X. Ding, C.-K. Chu, and J. Lai. Conditionalproxy re-encryption secure against chosen-ciphertext attack. In Proc.of ASIACCS’09.

[7] B. Libert and D. Vergnaud. Unidirectional Chosen-Ciphertext SecureProxy Reencryption. http://hal.inria.fr/ inria-00339530/.

[8] Weng, Y. Yang, Q. Tang, Robert H. Deng, and F. Bao. EfficientConditional Proxy Re-encryption with Chosen-Ciphertext Security.In Proceedings of the 12th International Conference on InformationSecurity, pp. 151-166, 2009.

[9] Yang Zhang Jun-Liang Chen. A delegation solution for universalidentity management. IEEE Transactions on Services Computing,2011.3, pp. 70-81, 2011.

761