IJCS_2016_0302004.pdf

8/16/2019 IJCS_2016_0302004.pdf

1/5

94 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

International Journal of Computer Systems (ISSN: 2394-1065), Volume 03 – Issue 02, February, 2016

Available at http://www.ijcsonline.com/

Decentralized Access Control Based Crime Analysis

aBadhusha S ,

aChippy Raju,

aDhanya V.S,

a Nazila A.N,

aSyamini S,

bSuja Vijayan,

cJooby E

ȦCollege of Engineering, Perumon, Kerala, IndiaBDepartment of Information Technology, College of Engineering, Perumon, Kerala, India

CDepartment of computer science, College of Engineering, Perumon, Kerala, India

Abstract

For securing data in cloud, we propose a new privacy preserving authenticated access control scheme. In this scheme,

mainly cloud verifies the users authenticity. And this be done without knowing the users identity before storing

information. It also has some added features of access control in which, only the authorized or valid users are able todecrypt the stored information. It also support modification, creation and reading data within the cloud and prevent

replay attacks. One of the main advantages of this scheme is the authentication and access control. But in other schemes

access control designed for clouds are centralized. And the scheme is also robust and decentralized. The properties that

are comparable to centralized approaches are communication, computation and storage.

Keywords: Access control, authentication, attribute based signature, attribute based encryption, cloud storage .

I. I NTRODUCTION

Cloud computing, also known as 'on-demandcomputing', is a kind of Internet-based computing, whereshared resources, data and information are provided tocomputers and other devices on-demand. Cloud computinghas now become a highly demanded service or utility due

to the advantages of high computing power, cheap cost ofservices, high performance, scalability, accessibility as wellas availability. Cloud vendors are experiencing growth. Ascloud computing provides storage space, a large amount ofredundant data is being stored and shared by users withspecified privilege, which define the access rights of thestored data. In cloud computing by using the internet userscan outsource their computation and storage to servers.This help the servers from the hassles of maintainingresources on-site. One significant challenge of cloudstorage services is the management of the ever-increasingvolume of data. Cloud computing provides a low cost,scalable, location independent infrastructure for data

management and storage. The rapid adoption of cloudservices is accompanied by increasing volumes of datastored at remote servers, hence techniques for saving diskspace and network bandwidth are needed. A centralupcoming concept in this context is deduplication, wherethe server stores a single copy of each file, in spite of howmany clients asked to store that file. All clients that storethe file merely use links to the single copy of the file storedat the server. Moreover, if the server already has a copy ofthe file then clients do not even need to store it again to theserver, thus saving bandwidth as well as storage. In atypical storage system with deduplication, a client firstuploads the data, the third party auditor which is a trustedone ,computes the hash value from the data which is

uploaded by the user and this hash value acts as theconvergent key and the third party auditor checks if thathash value already exists in its database. if the hash is not

in the database then the entire file will be stored in thecloud and the corresponding convergent key will be storedin the hash table. Otherwise, since the file already exists,the convergent key will be in the hash table (potentiallyuploaded by someone else),then the convergent keygenerated for the already uploaded file will be shared to thecurrent user thereby only one physical copy exists in the

cloud. That is, only one physical copy of that redundant fileis stored in the cloud. Several types of services likeapplications are provided by cloud. Since servers are

provided to a remote server security and privacy are ofmajor concern in cloud computing. User privacy is one ofthe important factor. The cloud can hold the useraccountable for the data it outsources and likewise thecloud itself accountable for the services it provides.

Access control in clouds is gaining attention because itis important that only authorized users have access to validservice. A huge amount of information is being stored inthe cloud, and much of this is sensitive information. Careshould be taken to ensure access control of this sensitive

information which can often be related to health, importantdocuments (as in Google Docs or Dropbox) or even

personal information (as in social networking). There are broadly three types of access control: user-based accesscontrol (UBAC), role-based access control (RBAC), andattribute-based access control (ABAC). In UBAC, theaccess control list contains the list of users who areauthorized to access data.

This is not feasible in clouds where there are manyusers. In RBAC users are classified based on theirindividual roles. Data can be accessed by users who havematching roles. The roles are defined by the system. Forexample, only faculty members and senior secretaries

might have access to data but not the junior secretaries.ABAC is more extended in scope, in which users are givenattributes, and the data has attached access policy. Only

8/16/2019 IJCS_2016_0302004.pdf

2/5

Badhusha S et al Decentralized Access Control Based Crime Analysis


users with valid set of attributes, satisfying the access policy, can access the data. All these work use acryptographic primitive known as attribute basedencryption (ABE). The extensible access control markuplanguage proposed for ABAC in clouds.

An area where access control is widely being used ishealth care. Clouds are being used to store sensitiveinformation about patients to enable access to medical

professionals, hospital staff, researchers, and policymakers. It is important to control the access of data so thatonly authorized users can access the data. Using ABE, therecords are encrypted under some access policy and storedin the cloud. Users are given sets of attributes andcorresponding keys. Only when the users have matchingset of attributes, can they decrypt the information stored inthe cloud. Access control is also gaining importance inonline social networking where users (members) store their

personal information, pictures, videos and share them withselected groups of users or communities they belong to.

Such data are being stored in clouds. It is very importantthat only the authorized users are given access to thoseinformation

However, the authors take a centralized approach wherea single key distribution center (KDC) distributes secretkeys and attributes to all users. Unfortunately, a singleKDC is not only a single point of failure but difficult tomaintain because of the large number of users that aresupported in a cloud environment. We, therefore,emphasize that clouds should take a decentralized approachwhile distributing secret keys and attributes to users. It isalso quite natural for clouds to have many KDCs indifferent locations in the world

we extend our previous work with added features thatenables to authenticate the validity of the message withoutrevealing the identity of the user who has storedinformation in the cloud. In this version we also addressuser revocation.

We use ABS scheme to achieve authenticity and privacy. our scheme is resistant to replay attacks, in whicha user can replace fresh data with stale data from a previouswrite, even if it no longer has valid claim policy. This is animportant property because a user, revoked of its attributes,might no longer be able to write to the cloud. We,therefore, add this extra feature in our scheme . Our schemealso allows writing multiple times which was not permittedin our earlier work .

1.1 Our Contributions

The main contributions of this paper are the following:

1. Distributed access control of data stored in cloud sothat only authorized users with valid attributes can accessthem.

2. Authentication of users who store and modify theirdata on the cloud.

3. The identity of the user is protected from the cloud

during authentication.

4. The architecture is decentralized, meaning that therecan be several KDCs for key management.

5. The access control and authentication are bothcollusion resistant, meaning that no two users can colludeand access data or authenticate themselves, if they areindividually not authorized.

6. Revoked users cannot access data after they have

been revoked.7. The proposed scheme is resilient to replay attacks. A

writer whose attributes and keys have been revoked cannotwrite back stale information.

8. The protocol supports multiple read and write on thedata stored in the cloud.

9. The costs are comparable to the existing centralizedapproaches, and the expensive operations are mostly done

by the cloud.

II. RELATED WORK

In ABE, a user has a set of attributes in addition to its

unique ID. There are two classes of ABEs. In key-policyABE or KP-ABE (Goyal et al. [27]), the sender has anaccess policy to encrypt data. A writer whose attributes andkeys have been revoked cannot write back staleinformation. The receiver receives attributes and secretkeys from the attribute authority and is able to decryptinformation if it has matching attributes. In Ciphertext-

policy, CP-ABE ([28], [29]), the receiver has the access policy in the form of a tree, with attributes as leaves andmonotonic access structure with AND, OR and otherthreshold gates. All the approaches take a centralizedapproach and allow only one KDC, which is a single pointof failure. Chase [30] proposed a multi authority ABE, inwhich there are several KDC authorities (coordinated by a

trusted authority) which distribute attributes and secretkeys to users. Multi authority ABE protocol was studied in[31] and [32], which required no trusted authority whichrequires every user to have attributes from at all the KDCs

III. IMPLEMENTATION

In this section, we present our cloud storage model,adversary model and the assumptions we have made in the

paper. Table 1 presents the notations used throughout the paper. We also describe mathematical background used inour proposed solution.

A. Assumptions

We make the following assumptions in our work:1. The cloud is honest-but-curious, which means that

the cloud administrators can be interested in viewing user’scontent, but cannot modify it. Honest-but-curious model ofadversaries do not tamper with data so that they can keepthe system functioning normally and remain undetected.

2. Users can have either read or write or both accessesto a file stored in the cloud.

3. All communications between users/clouds aresecured by secure shell protocol, SSH.

B. Formats of Access Policies

Access policies can be in any of the following formats:a. Boolean functions of attributes,

8/16/2019 IJCS_2016_0302004.pdf

3/5



b. Linear secret sharing scheme (LSSS) matrix of thedata [1], or

c. Monotone span programs

Attr ibute-Based Encryption:

a) System Initialization

b) Key Generation and Distribution by KDCs

c) Encryption by Sender

d) Decryption by Receiver

Attr ibute-Based Signature Scheme:

a) System Initialization

b) User Registration

c) KDC Setup

d) Attribute Generation

e) Sign

f) Verify

C. Hierarchical attribute-based Encryption

This scheme Hierarchical attribute-based encryption(HABE) consists of a root master (RM) that corresponds tothe third trusted party (TTP),multiple domain masters(DMs) in which the top-level DMs correspond to multipleenterprise users, and numerous users that correspond to all

personnel in an enterprise. This scheme used the propertyof hierarchical generation of keys in HIBE scheme togenerate keys.

Then, HABE scheme is defined by presentingrandomized polynomial time algorithms as follows:

Setup (K) →(params,MK0): The RM takes a

sufficiently large security parameter K as input, andoutputs system parameters params and root master keyMK0.

CreateDM (params,MK i, PKi+1)→ (MKi+1): Whetherthe RM or the DM generates master keys for the DMsdirectly under it using params and its master key.

CreateUser(params,MKi , PKu, PKa) → (SKi,u,

SKi,u,a):

The DM first checks whether U is eligible for a, whichis administered by itself. If so, it generates a user identitysecret key and a user attribute secret key for U, using

params and its master key; otherwise, it outputs “NULL”.

Encrypt(params; f ;A ; {PKa|a E A}) →(CT): A usertakes a file f, a DNF access control policy A, and publickeys of all attributes in A, as inputs, and outputs aciphertext CT.

Decrypt(params,CT,SKi,u,{SKi,u,a|aECCj} →

(f): A

user,whose attributes satisfy the j-th conjunctive clauseCCj, takes params, the ciphertext, the user identity secretkey, and the user attribute secret keys on all attributes inCCj, as inputs, to recover the plaintext.

IV. PROPOSED PRIVACY PRESERVING

AUTHENTICATED ACCESS CONTROL SCHEME

In this section, we propose our privacy preservingauthenticated access control scheme. According to ourscheme a user can create a file and store it securely in thecloud. This scheme consists of use of the two protocolsABE and ABS, There are three users, a creator, a reader,and writer. Creator Alice receives a token _ from thetrustee, who is assumed to be honest. A trustee can besomeone like the federal government who manages socialinsurance numbers etc.

8/16/2019 IJCS_2016_0302004.pdf

4/5



On presenting her id (like health/social insurancenumber), the trustee gives her a token _. There are multiple

KDCs (here 2), which can be scattered. For example, thesecan be servers in different parts of the world. A creator on

presenting the token to one or more KDCs receives keysfor encryption/decryption and signing. In the Fig. 1, SKsare secret keys given for decryption, Kx are keys forsigning. The message MSG is encrypted under the access

policy X. The access policy decides who can access thedata stored in the cloud. The creator decides on a claim

policy Y, to prove her authenticity and signs the messageunder this claim. The ciphertext C with signature is c, andis signature and stores the ciphertext C. When a readerwants to read, the cloud sends C. If the user has attributesmatching with access policy, it can decrypt and get backoriginal message. When a reader wants to read some data

stored in the cloud, it tries to decrypt it using the secretkeys it receives from the KDCs. If it has enough attributesmatching with the access policy, then it decrypts theinformation stored in the cloud.

Data Storage in Clouds

A user Uu have one or more trustees. This is used to prevent to the replay attacks. In this time data is not sent,then the user can write previous stale message back to thecloud with a valuable signature, even when its claim policyand attributes have been revoked.

Reading from the Cloud:

The user requests data from the cloud, the cloud sendsthe ciphertext using SSH protocol. Decryption proceedsusing algorithm ABE.

Writing to the Cloud:

The user must send its message with the claim policy asdone during file creation. The cloud verifies the claim

policy, and only if the user is authentic is allowed to writeon the file.

User Revocation:

It should be ensured that users must not have the abilityto access data, even if they possess matching set ofattributes.

V. SECURITY OF THE PROTOCOL

We will explain that our scheme authenticates a userwho wants to write to the cloud. A user should only write

provided the cloud is able to validate it access to the claim.An invalid user cannot receive the attributes from a KDC,if it do not have the credentials from the trustee. If a user’scredentials are revoked, then it cannot replace data with

previous data, thus preventing replay attacks.

Theorem 1. Our access control scheme is secure, collusionresistant and allows access only to authorized users.

Theorem 2. Our authentication data is correct, collusionsecure, resistant to the replay of attacks, and protects

privacy of the user.

Next we confirm that only a valid user with validaccess claim is only able to store the message in the cloud.A user who wants to create a file and tries to make a wrongaccess claim, cannot do so, since it will not have attributekeys Kx from the related KDCs. Since the message isencrypted, a user without valid access policy cannotdecrypt and change the information.

A. RSA Algorithm

RSA algorithm is used for securing user’sdetails(contents in PHR). RSA is a public key encryptionalgorithm. RSA involves a public key and a private key. The public key can be known by everyone and is used forencrypting messages. Messages encrypted with the publickey can only be decrypted in a reasonable amount of timeusing the private key. The keys for the RSA algorithm aregenerated the following way:

1. Choose two distinct prime numbers p and q.For security purposes, the integers p and q should

be chosen at random, and should be of similar bit-length. Prime integers can be efficiently foundusing a primality test.

2. Compute n = pq.n is used as the modulus for both the public and

private keys. Its length, usually expressed in bits,is the key length.

3. Compute φ(n) = φ( p)φ(q) = ( p− 1) (q − 1), whereφ is Euler's totient function.

4.

Choose an integer e such that 1 < e < φ(n) andgcd(e, φ(n)) = 1; i.e. e and φ(n) are co prime.e is released as the public key exponent andhaving a short bit-length and small Hammingweight results in more efficient encryption – mostcommonly 2

16 + 1 = 65,537. However, much

smaller values of e (such as 3) have been shown to be less secure in some settings.

5. Determine d as d −1

≡ e (mod φ(n)), i.e., d is themultiplicative inverse of e (modulo φ(n)).This is more clearly stated as solve for d given d ⋅e ≡ 1 (mod φ(n)). This is often computed using theextended Euclidean algorithm. d is kept as the

private key exponent.

8/16/2019 IJCS_2016_0302004.pdf

5/5



B. Encryption

Alice transmits her public key (n, e) to Bob and keepsthe private key secret. Bob then wishes to send message M to Alice. He first turns M into an integer m, such that 0 ≤ m < n by using an agreed-upon reversible protocol known asa padding scheme. He then computes the ciphertext c

corresponding to . This can be donequickly using the method exponentiation by squaring. Bobthen transmits c to Alice.

C. Decryption

Alice can recover m from c by using her private keyexponent d via computing

.Given m, she can recover the originalmessage M by reversing the padding scheme.

VI. CONCLUSION

We have presented a decentralized access controltechnique with anonymous authentication, which providesuser revocation and prevents replay attacks. The cloud doesnot know the identity of the user who stores information,

but only verifies the user’s credentials. Key distribution isdone in a decentralized way. One limitation is that thecloud knows the access policy for each record stored in thecloud. In future, we would like to hide the attributes andaccess policy of a user.

ACKNOWLEDGEMENT

We are greatly indebted to God Almighty for being theguiding light throughout with his abundant grace and

blessing that strengthened us to do this endeavour withconfidence. We express our heartfelt gratitude towardsProf. Z.A ZOYA, Principal, College of EngineeringPerumon, for extending all the facilities required for doingour project. We would also like to thank Dr Dheebha J,Head, Department of Computer Engineering, for providingconstant support and encouragement. Now We extend oursincere thanks to our project co-ordinator Mrs.Jooby E,Assistant professor of Computer Science Department and

project guide Dr. Suja Vijayan, Assistant professor ofInformation technology Department for guiding our workand providing timely advices and valuable suggestions.Last but not the least; we extend our heartfelt gratitude toour parents and friends for their support and assistance.

R EFERENCES

[1] S.Ruj,M.Stojmenovic, and A.Nayak,Privacy Preserving AcessControl with Authentication for Securing Data in Clouds,”Proc. IEEE/ACM Int’l Symp. Cluster, Cloud and Grid Computing, pp.556- 563, 2012.

[2] C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou, “Toward Secureand Dependable Storage Services in Cloud Computing,” IEEETrans. Services Computing, vol. 5, no. 2, pp. 220-232, Apr.-June2012.

[3]

J. Li, Q. Wang, C. Wang, N. Cao, K. Ren, and W. Lou, “Fuzzy Keyword Search Over Encrypted Data in Cloud Computing,” Proc.IEEE INFOCOM, pp. 441-445, 2010.

[4] S. Kamara and K. Lauter, “Cryptographic Cloud Storage,” Proc.

14th Int’l Conf. Financial Cryptography and Data Security, pp. 136-

149, 2010.

[5] H. Li, Y. Dai, L. Tian, and H. Yang, “Identity-BasedAuthentication for Cloud Computing,” Proc. First Int’l Conf. CloudComputing (CloudCom), pp. 157-166, 2009.

[6] C. Gentry, “A Fully Homomorphic Encryption Scheme,” PhD dissertation, Stanford Univ., http://www.crypto.stanford.edu/

craig, 2009.

[7] A.-R. Sadeghi, T. Schneider, and M. Winandy, “Token-Based

Cloud Computing,” Proc. Third Int’l Conf. Trust and Trustworthy

Computing (TRUST), pp. 417-429, 2010.

Documents

IJCS_2016_0302004.pdf