seminar report on secure self destruction scheme in cloud computing

8/18/2019 seminar report on secure self destruction scheme in cloud computing

1/19

Seminar 2016 A SECURE DATA SELF-DESTRUCTION SCHEME IN CLOUD

COMPUTING

INTRODUCTION

Cloud computing is considered as the next step in the evolution of on-demand

information technology which combines a set of existing and new techniques from

research areas such as service-oriented architectures (SOA) and virtualiation! "ith the

rapid development of versatile cloud computing technology and services# it is routine

for users to leverage cloud storage services to share data with others in a friend circle#

e!g!# $ropbox# %oogle# $rive and AliCloud

&he shared data in cloud servers# however# usually contains users' sensitive information

(e!g!# personal profile# financial data# health records# etc!) and needs to be well

protected! As the ownership of the data is separated from the administration of them# the

cloud servers may migrate users' data to other cloud servers in outsourcing or share

them in cloud searching! &herefore# it becomes a big challenge to protect the privacy of

those shared data in cloud# especially in cross-cloud and big data environment! n order

to meet this challenge# it is necessary to design a comprehensive solution to support

user-defined authoriation period and to provide fine-grained access control during this

period! &he shared data should be self-destroyed after the user-defined expiration time!

One of the methods to alleviate the problems is to store data as a common encrypted

form! &he disadvantage of encrypting data is that the user cannot share hisher encrypted

data at a fine-grained level! "hen a data owner wants to share someone hisher

information# the owner must *now exactly the one heshe wants to share with! n many

applications# the data owner wants to share information with several users according to

the security policy based on the users' credentials!

Attribute-based encryption (A+,) has significant advantages based on the tradition public

*ey encryption instead of one-to-one encryption because it achieves flexible one-to-many

encryption

Dept O! C"mp#ter S$ien$e % En&& ' (ima) *+"t,i En&ineerin&

C"))e&e


2/19


COMPUTING

A+, scheme provides a powerful method to achieve both data security and fine-grained

access control! n the *ey-policy A+, (.-A+,) scheme to be elaborated # the ciphertext

is

labeled with set of descriptive attributes! Only when the set of descriptive attributes

satisfies the access structure in the *ey# the user can get the plaintext!

n general# the owner has the right to specify that certain sensitive information is only

valid for a limited period of time# or should not be released before a particular time!

&imed-release encryption (&/,) provides an interesting encryption service where an

encryption *ey is associated with a predefined release time# and a receiver can onlyconstruct the corresponding decryption *ey in this time instance!

0owever# applying the A+, to the shared data will introduce several problems with

regard to time-specific constraint and self-destruction# while applying the &S, will

introduce problems with regard to fine-grained access control! &o solve these problems

.-A+, is used and adding a constraint of time interval to each attribute in the set of

decryption attributes!

1.1 Related Works

1.1.1 Attribute-based encryption

Attribute-based encryption is one of the important applications of fuy identity-

based encryption! A+, comes in two flavors called .-A+, and ciphertext-policy A+,

(C.-A+,)! n C.-A+,# the ciphertext is associated with the access structure while the

private *ey contains a set of attributes! +ethencourt et al! proposed the first C.-A+,

scheme 1234# the drawbac* of their scheme is that security proof was only constructed

under the generic group model! &o address this wea*ness# Cheung et al! presented

another construction under a standard model 1254! "aters used a linear secret sharing

scheme (6SSS) matrix as a general set of access structures over the attributes and

proposed an efficient and provably secure C.-A+, scheme under the standard model!

n .-A+,# the idea is reversed7 the ciphertext contains a set of attributes and the

Dept O! C"mp#ter S$ien$e % En&& (ima) *+"t,i En&ineerin&

C"))e&e


3/19


COMPUTING

private *ey is related to the access structure! &he first construction of .-A+, scheme

was proposed in! n their scheme# when a user made a secret request# the trusted

authority determined which combination of attributes must appear in the ciphertext for

the user to decrypt! nstead of using the Shamir secret *ey technique in the private *ey#this scheme used a more generalied form of secret sharing to enforce a monotonic

access tree!

1.1.2 Secure self-destruction scheme

A well-*nown method for addressing this problem is secure deletion of sensitive

data after expiration when the data was used! /ecently# Cachin et al! employed a policy

graph to describe the relationship between attributes and the protection class and pro-

posed a policy-based secure data deletion scheme! /eardon et al! leveraged the graph

theory# +-tree structure and *ey wrapping and proposed a novel approach to the design

and analysis of secure deletion for persistent storage devices! +ecause of the properties

of physical storage media# the above-mentioned methods are not suitable for the cloud

computing environment as the deleted data can be recovered easily in the cloud servers

1.1.3 Time-specific encryption

&he time-specific encryption scheme &S,# proposed by .eterson et al# was

introduced as an extension of &/,! n &/,# a protected data can be encrypted in such a

way that it cannot be decrypted (even by a legitimate receiver who owns the decryption

*ey for the ciphertext until the time (called the release-time) that was specified by the

encryptor! 8ost of the previous &/, schemes that adopt a time-sever model are in fact

public-*ey &/, schemes! &hey do not consider the sensitive data privacy after

expiration

n the &S, scheme# a time sever broadcasts a time instant *ey (&)# a data

owner encrypts a message into a ciphertext during a time interval# and a receiver can

decrypt the ciphertext if the & is valid in that interval! asamatsu designed an

efficient &S, scheme by using forward-secure encryption (9S,) in which the sie of the

Dept O! C"mp#ter S$ien$e % En&& . (ima) *+"t,i En&ineerin&

C"))e&e


4/19


COMPUTING

ciphertext is greatly small than that generated by the previous schemes! &he time

interval may be considered as the authoriation period of the protected data# and &S,

schemes are able to meet this requirement! 0owever# it is a tric*y problem when the

traditional &S, is used in the cloud computing environment! Cloud computingenvironment needs a fine-grained access control# which cannot be provided by the

traditional &S, schemes!

1.2 Motivation

As the-state-of-the-art of the secure self-destruction scheme# both SS$$ and9ull.. have some limitations! 9irst# SS$$ does not consider the issue of the desired

release time of the sensitive data# the expiration time of both SS$$ and 9ull.. schemes

is limited by the $0& networ* and cannot be deter-mined by the user! Second# SS$$

and many other schemes are dependent on the ideal assumption of :;o attac*s on ! &hird# it is demonstrated that the


5/19


COMPUTING

decrypt the ciphertext successfully# the valid attributes should satisfy the access tree

where the time instant of each leaf in the users *ey should belong to the $A&

(e!g!#2B75?∈1?@7??#27??4) in the corresponding attribute in the ciphertext! As the

logical expression of the access tree can represent any desired data set with any timeinterval# it can achieve fine-grained access control! f the time instant is not in the

specified time interval# the ciphertext cannot be decrypted# i!e!# this ciphertext will be

self-destructed and no one can decrypt it be-cause of the expiration of the secure *ey!

&herefore# secure data self-destruction with fine-grained access control is achieved!

1.3 Contributions

n this paper# we propose a .-&SA+, scheme# which is a novel secure self-

destructing scheme for data sharing in cloud computing! "e first introduce the notion of

.-&SA+,# formalie the model of .-&SA+, and give the security model of it! &hen#

we give a specific construction method about the scheme! 9inally# prove that the .-

&SA+, scheme is secure!

,specially# .-&SA+, has the following advantages with regard to security and

fine-grained access control compared to other secure self-destructing schemes!

2) .-&SA+, supports the function of user-defined authoriation period and ensures

that the sensitive data cannot be read both before its desired release time and after

its expiration!

3) .-&SA+, does not require the ideal assump-tion of :;o attac*s on !

5) .-&SA+, is able to implement fine-grained access control during the

authoriation period and to ma*e the sensitive data self-destruction after expiration

without any human intervention!

Dept O! C"mp#ter S$ien$e % En&& / (ima) *+"t,i En&ineerin&

C"))e&e


6/19


COMPUTING

B) .-&SA+, is proven to be secure under the standard model by using the l-bilinear

$iffie-0ellman inversion assumption!

2. EXITIN! "TEM

As the-state-of-the-art of the secure self-destruction scheme# both SS$$ and

9ull.. have some limitations! 9irst# SS$$ does not consider the issue of the desired

release time of the sensitive data# the expiration time of both SS$$ and 9ull.. schemes

is limited by the $0& networ* and cannot be deter-mined by the user! Second# SS$$

and many other schemes are dependent on the ideal assumption of :;o attac*s on ! &hird# it is demonstrated that the


7/19


COMPUTING

observation that# in practical cloud application scenarios# each data item can be

associated with a set of attributes and every attribute is associated with a specification of

time interval (decryption attribute time interval# $A&)# e!g!# 1?@7??#27??4# denoting

that the encrypted data item can only be decrypted between ?@7?? to 27?? on aspecified date and it will not be recoverable before ?@7?? and after 27?? that day! &he

data owner encrypts hisher data to share with users in the system# in which every users

*ey is associated with an access tree and each leaf node is associated with a time instant#

e!g!# 2B75?! &he access tree of each user can be defined as a unique logical expression

over these $A& attributes to reflect the data item authoried to the user! n order to

decrypt the ciphertext successfully# the valid attributes should satisfy the access tree

where the time instant of each leaf in the users *ey should belong to the $A&

(e!g!#2B75?∈1?@7??#27??4) in the corresponding attribute in the ciphertext! As the

logical expression of the access tree can represent any desired data set with any time

interval# it can achieve fine-grained access control! f the time instant is not in the

specified time interval# the ciphertext cannot be decrypted# i!e!# this ciphertext will be

self-destructed and no one can decrypt it be-cause of the expiration of the secure *ey!

&herefore# secure data self-destruction with fine-grained access control is achieved!

$. #RE%IMIN&RIE

n this section# some preliminaries related to bilinear maps# complexity assumptions and

access structure are presented!

$.1 'ilinear Ma(s

6et % and % be two multiplicative cyclic groups with big prime order p! 6et g be a

generator of %! 6et e be a bilinear map e7 % D % E % with the following properties7

2) +ilinearity7 9or all u# v ∈ % and a# b ∈ Fp# the equation

e (ua , vb )=e(u , v)ab holds!

Dept O! C"mp#ter S$ien$e % En&& (ima) *+"t,i En&ineerin&

C"))e&e


8/19


COMPUTING

3) ;on-degeneracy7 e (g# g) ≠ 2!

5) Computability7 &here exists an efficient algorithm to compute bilinear map

e 7 % D % E %!

$.2 'ilinear Di))ie*+ell,an Inversion -'D+I &ssu,(tion

n order to prove the security of the .-&SA+, scheme# we introduce ) -+$0

assumption used! &he ) -+$0 problem in % is as follows7 %iven g# h and g y

i

in % for

i G 2# 3# HHH# ) as input for some un*nown random y ∈ Z P¿

output " ∈ % to decide

whether W =e(g ,h) y

i+1

! "e say that

a polynomial-time adversary A has advantage ϵ in solving the decisional ) -+$0

problem (% %3 ) if7

| Pr[A(g, h, y, e(g, h)yl+1 ) = 0]− Pr[A(g, h, y, e(g, h)z) = 0]| ≥ ϵ

where the probability is ta*en over random y# and the random bits consumed by A!

$efinition 2! 6et's say the (t# ϵ)-l-+$0 assumption holds in (%# %) if no t-time

algorithm has the probability at least in solving the l-+$0 problem for non-negligibleϵ

ϵ

$.3 &//ess stru/ture and a//ess tree

$.3.1 &//ess stru/ture

$efinition 3 (Access structure)! 6et I.2# .3# HHH # .nJ be a set of parties! A collection

A ⊆ 3I.2KHHH K.nJ is monotone if ∀+# C7 if + ∈ A and + ⊆ C then C ∈ A! An access structure

(respectively# monotonic access structure) is a collection (respectively# monotone collection) A

of non-empty subsets of I.2# .3 HHH # .nJ# i!e!# A ⊆ 3I.2KHHH K.nJLI∅J! &he sets in A are

called the authoried sets# and the sets not in A are called the unauthoried sets!

Dept O! C"mp#ter S$ien$e % En&& 10 (ima) *+"t,i En&ineerin&

C"))e&e


9/19


COMPUTING

$.3.2 &//ess tree 0it ti,e*s(e/i)i/ attributes

6et denote M as an access tree! ,ach non-leaf node of the tree represents a threshold

gate# described by a threshold value and its children! f numx is the number of children of a node

x and * x is its threshold value# then ? N * x N numx holds! &he threshold gate is an O/ gate when

threshold value * x G 2! f threshold value of node x satisfied * x G numx# it is an A;$ gate! ,ach

leaf node x of the tree is associated with a time instant t x! f the tx belongs to a time interval 1t6Kx#

t/Kx4# which is associated with the corresponding attribute x in the ciphertext# we let value * x G 2!

Some functions are defined in order to facilitate dealing with ! n # the function

parent(x) is rep-resented as the parent of the node x! &he component of attributes is associated

with the leaf node x in ! also defines an ordering between the children of a node which are

numbered from 2 to num! &he function index(x) returns such a number associated with the node

x# where the index values are uniquely allocated to nodes in for a given *ey!

n the following we will describe how to satisfy an access tree with attributes and time

constraints!

6et be a 6et be a P with root r! x is represented as the subtree of with the root

node at x! 9or the root r of # we denote r! f a set of attributes S satisQes x# we denote

it as x (S) G 2! x (S) is calculated recursively as follows7 f x is a non-leaf node#evaluate x(S) for all children x of the node x! x (S) returns 2 if and only if at least *x

children return 2! f x is a node belongs to the last layer from bottom# then x(S) returns

2 if and only if the current time instant tx associated with leaf node (attribute) in the

access tree belongs to time interval 1t6#x#t/#x4 associated with the corresponding attribute

x in the ciphertext# that is tx ∈ 1t6#x#t/#x4 with root r! x is represented as the subtree of

with the root node at x! 9or the root r of # we denote r ! f a set of attributes S satisQes

x# we denote it as x (S) G 2! x (S) is calculated recursively as follows7 f x is a nonleaf

node# evaluate x(S) for all children x of the node x! x (S) returns 2 if and only if at

least * x children return 2! f x is a node belongs to the last layer from bottom# then x (S)

returns 2 if and only if the current time instant t x associated with leaf node (attribute) in

the access tree belongs to time interval 1t6#x#t/#x4 associated with the corresponding

attribute x in the ciphertext# that is tx ∈ 1t6#x#t/#x4!


C"))e&e


10/19


COMPUTING

. CONCE#T &ND MODE%

n this section# some concepts are first described# and then the system model#

formal model and security model of the .-&SA+, scheme are presented!

.1 Con/e(ts

&o form a basis for the .-&SA+, scheme# we introduce the following concepts!


C"))e&e


11/19


COMPUTING

2) Authoriation period7 t is a time interval predefined by a data owner starting

from the desired release time and ending at the expiration time! &he ciphertext is

associated with this intervalK the user can construct the decryption *ey onlywhen the time instant is within this interval!

3) ,xpiration time7 t is a threshold time instant predefined by the owner! &he

shared data can only be accessed by the user before this time instant# because the

shared data will be self-destructed after expiration!

5) 9ull lifecycle7 t is a time interval from the creation of the shared data#

authoriation period to expiration time! &his paper provides full lifecycle privacy

protection for shared data in cloud computing!

.2 4ste, ,odel o) 5#*T&'E

n the system# we mainly focus on how to achieve fine-grained access control during

the authoriation period of the shared data in cloud and how to implement self-

destruction after expiration! Specifically# the system model is defined by dividing the

.-&SA+, scheme into the following six entities as shown in 9ig R!2!

(2) $ata Owner7 $ata owner can provide data or files that contain some sensitive

information# which are used for sharing with hisher friends (data users)! All

these shared data are outsourced to the cloud servers to store!

(3) Authority7 t is an indispensable entity which is responsible for generating#

distributing and man-aging all the private *eys# and is trusted by all the other

entities involved in the system!

(5) &ime Server7 t is a time reference server without any interaction with other

entities involved in the system! t is responsible for a precise release time

specification!

Dept O! C"mp#ter S$ien$e % En&& 1' (ima) *+"t,i En&ineerin&

C"))e&e


12/19


COMPUTING

(B) $ata sers7 $ata users are some peoples who passed the identity authentication

and access to the data outsourced by the data owner! ;otice that# the shared data

can only be accessed by the authoried users during its authoriation period!

(R) Cloud Servers7 t contains almost unlimited storage space which is able to store

and manage all the data or files in the system! Other entities with limited storage

space can store their data to the cloud servers!

(T) .otential Adversary7 t is a polynomial time adversary and described in the

security model of the .-&SA+, scheme in Security model for .-&SA+,!

9ig! R!2 System model of .-&SA+,

.3 6or,al Model o) 5#*T&'E


C"))e&e


13/19


COMPUTING

&he .-&SA+, scheme can be described as a collection of the following four

algorithms7 Setup# ,ncrypt# ey%en# and $ecrypt!

etu( -1 7 U8 &his algorithm is run by the Authority and ta*es as input the security

parameter 2 and attribute universe # generates system public parameters params and

the master *ey 8S! &he Authority publishes params and *eeps 8S secret to itself!

En/r4(t -M7 (ara,s7 7 T8 %iven the public parameters params# the shared message

8 which the owner wants to encrypt# the attribute set S and the set of time intervals &S

in which every element in &S is associated with a corresponding attribute in S! &his

algorithm generates the ciphertext C& which is associated with the fuy attribute set S!

5e4!en -M57 97 T :8 &his algorithm ta*es as input the master *ey 8S# the access

tree P and the time set & ! ,very attribute x in P is associated with a time instant tx ∈ &

! t outputs a private *ey S which contains P!

De/r4(t -CT7 58 &his algorithm ta*es as input the ciphertext C& and the private *ey

S! "hen a set of time-specific attributes satisfies P# it is able to decrypt the ciphertext

and return the plaintext 8!

.$ e/urit4 ,odel )or 5#*T&'E

.-&SA+, security is defined by the following games between an adversary A and a

challenger +!

Init! &he adversary A declares the attribute set M∗ that he wishes to be challenged upon!

Dept O! C"mp#ter S$ien$e % En&& 1. (ima) *+"t,i En&ineerin&

C"))e&e


14/19


COMPUTING

etu(! &he challenger + runs the Setup algorithm to generate params and 8S! &he

params is given to A!

#ase 1! A generates repeated private *eys corresponding to many access structures A=and time instants in which none of these attribute structures satisfies that M∗ ∈ A= !

Challenge! A submits two equal-length messages 8?# 82# and a challenge attribute set

M∗! + flips a random coin b# and encrypts 8b under M∗! &he ciphertext C& ∗ is given

to A!

#ase 2! Same as in phase 2! %uess! A outputs a guess b of b!

&he advantage of A in this game is defined as

AdvA G .r 1b G b4 U 23 !

$efinition 5! &he .-&SA+, scheme is indistinguishable secure against selective

attribute chosen plaintext attac* if all polynomial time adversaries have at most a

negligible advantage in the above game!


C"))e&e


15/19


COMPUTING

; CONTRUCTION O6 T+E 5#*T&'E C+EME

System level describes the implementations of the upper operations# while algorithm

level mainly focuses on the concrete details of the underlying algorithms which are

invo*ed by system level operations! &he details of these two levels are described as

follows!

;.1 4ste, des/ri(tions o) te 5#*T&'E

2) 4ste, setu(

Dept O! C"mp#ter S$ien$e % En&& 1/ (ima) *+"t,i En&ineerin&

C"))e&e


16/19


COMPUTING

n the system initialiation phase# a data owner chooses a large security

parameter V and attribute universe # and invo*es the algorithm Setup(2 # ) belonging

to the algorithm level to generate system parameters params and master *ey 8S!

3) En/r4(tion 0it ti,e /onstraint

&he data owner chooses an attribute set S for the shared message 8 and defines

a time interval set &S for S! &hen# the data owner invo*es the algorithm ,ncrypt(8#

params# S# &S ) to encrypt 8 to its ciphertext C which is associated with the set S and

&S ! 9inally# C& is sent to cloud servers!

5) 6ine*


17/19


COMPUTING

&herefore# the cyphertext C& is not able to be decrypted in polynomial time# facilitating

the self-destruction of the shared data after expiration!

CONC%UION

"ith the rapid development of versatile cloud services# a lot of new challenges have

emerged! One of the most important problems is how to securely delete the outsourced

data stored in the cloud severs! &o solve this# a novel .-&SA+, scheme which is able

to achieve the time-specified ciphertext by implementing flexible fine-grained access

control during the authoriation period and time-controllable self-destruction after


C"))e&e


18/19


COMPUTING

expiration to the shared and outsourced data in cloud computing along with a system

model and a security model for the .-&SA+, scheme! 9urthermore# we proved that

.-&SA+, is secure under the standard model with the decision ) -,xpanded +$0

assumption! &he comprehensive analysis indicates that the proposed .-&SA+,scheme is superior to other existing schemes!

'I'%IO!R+"

2) W! Xiong# 9! 6i# W! 8a# X! 6iu# F! Yao# and .! S! Chen# :A full lifecycle privacy

protection scheme for sensitive data in cloud computing#> .eer to-.eer ;etwor*ing

and Applications Available7 http7dx!doi!org2?!2??s23?Z5-?2B-?3@R-x


C"))e&e

http://dx.doi.org/10.1007/s12083-014-0295-xhttp://dx.doi.org/10.1007/s12083-014-0295-x


19/19


COMPUTING

3) .! Wamshidi# A! Ahmad# and C! .ahl# :Cloud migration research7 A systematic

review#> Cloud Computing# ,,, &ransactions on# vol! 2# no! 3# pp! 2B3[2R# 3?25!

5) /! 6u# 0! Fhu# X! 6iu# W! ! 6iu# and W! Shao# :&oward efficient and privacy-

preserving computing in big data era#> ;etwor*# ,,,# vol! 3Z# no! B# pp! BT[R?#

3?2B!

B) X! 6iu# W! 8a# W! Xiong# and %! 6iu# :Ciphertext-policy hierarchical attribute-based

encryption for fine-grained access control of encryption data#> nternational Wournal

of ;etwor* Security# vol! 2T# no! B# pp! 5R2[5R# 3?2B!

R) A! Sahai and +! "aters# :9uy identity-based encryption#> in Advances in

Cryptology[,/OC/Y.& 3??R# ser! 6;CS# vol! 52! Springer# 3??R# pp! BR[

B5


Documents

seminar report on secure self destruction scheme in cloud computing