|Divya bharathy S, Ramesh T
Dept of Computer Science Engineering, RMK Engineering College, Chennai, Tamil Nadu, India.
|Related article at Pubmed, Scholar Google|
Visit for more related articles at International Journal of Innovative Research in Science, Engineering and Technology
We propose a privacy preserving access control scheme for data storage, which supports anonymous authentication and performs decentralized key management. In the proposed scheme, the cloud adopts an access control policy and attributes hiding strategy to enhance security. This new scheme supports secure and efficient dynamic operation on data blocks, including: data update, creation, modification and reading data stored in the cloud. Moreover, our authentication and access control scheme is decentralized and robust, unlike other access control schemes designed for clouds which are centralized. We also provide options for file recovery. Extensive security and performance analysis shows that the proposed scheme is highly efficient and resilient against replay attacks. User revocation and access control policies highly contributes to avoid abuse of cloud services and shared technology issues
Access Control, Authentication, Cloud storage, access policy, attributes
Cloud Computing is the emerging technology where we can get platform as a service, software as a service and infrastructure as a service. When it comes to storage as a service, data privacy and data utilization are the primary issues to be dealt with. To handle the transaction of files to and from the cloud server, the files are encrypted before being outsourced to the commercial public cloud. The topic of cloud computing is gaining a lot of attention from both academic and industrial worlds. The main idea is to make applications available on flexible execution environments primarily located in the internet. In cloud computing, users can outsource their computation and storage to servers (also called clouds) using Internet. Clouds can provide several types of services like applications (e.g., Google Apps, Microsoft online),infrastructures (e.g., Amazon’s EC2, Eucalyptus, Nimbus), and platforms to help developers write applications (e.g., Amazon’s S3, Windows Azure). The storage holds pertinent data and information on function on how they will be implemented. Optimization on storage is based on how the storage facility protected from different attacks and availability of backup. Cloud computing is always about consistency and availability of service which will naturally require the storage to be available all the time. Much of the data stored in clouds is highly sensitive, for example, medical records and social networks. Security and privacy are thus very important issues in cloud computing. In one hand, the user should authenticate itself before initiating any transaction, and on the other hand, it must be ensured that the cloud or other users do not know the identity of the user. The cloud can hold the user accountable for the data it outsources, and likewise, the cloud itself accountable for the services it provides. The validity of the user who stores the data is also verified. Apart from the technical solutions to ensure security and privacy, there is also a need for law enforcement. Cloud servers are prone to Byzantine failure, where a storage server can fail in arbitrary ways. The cloud is also prone to data modification and server colluding attacks. In server colluding attack, the adversary can compromise storage servers, so that it can modify data files as long as they are internally consistent. To provide secure data storage, the data needs to be encrypted. However, the data is often modified and this dynamic property needs to be taken into account while designing efficient secure storage techniques.
Efficient search on encrypted data is also an important concern in clouds. The clouds should not know the query but should be able to return the records that satisfy the query. This is achieved by means of searchable encryption. Access control in clouds is gaining attention because it is important that only authorized users have access to valid service. A huge amount of information is being stored in the cloud, and much of this is sensitive information. Care should be taken to ensure access control of this sensitive information which can often related to health, important documents ( as in Google Docs or Dropbox) or even personal information (as in social networking).Access control is also gaining importance in online social networking where users (members) store their personal information, pictures, videos and share them with selected groups of users or communities they belong to. It is not just enough to store the contents securely in the cloud but it might also be necessary to ensure anonymity of the user. For example, a user would like to store some sensitive information but does not want to be recognized. The user might want to post a comment on an article, but does not want his/her identity to be disclosed. However, the user should be able to prove to the other users that he/she is a valid user who stored the information without revealing the identity.Existing work on access control in cloud are centralized in nature. Even if some decentralized approaches were proposed does not support authentication. Earlier work provides privacy preserving authenticated access control in cloud. However, the authors take a centralized approach where single key distribution center (KDC) distributes secret keys and attributes to all users.
A. EXISTING ARCHITECTURE
The pictorial overview of the existing architecture is depicted in Fig. 1.Existing access control architecture in cloud are centralized in nature. The scheme uses a symmetric key approach and does not support authentication. Earlier work provides privacy preserving authenticated access control in cloud. However, the authors take a centralized approach where single key distribution center (KDC) distributes secret keys and attributes to all users. Unfortunately, a single KDC is not only a single point of failure but difficult to maintain because of large number of users that are supported in a cloud environment. We, therefore, emphasize that clouds should take a decentralized approach while distributing secret keys and attribute to users. It is also quite natural for clouds to have may KDCs in different locations in the world.
B. PROPOSED ARCHITECTURE
The Single KDC architecture with no anonymous authentication makes it more complicated and it also increases the storage overhead at the single KDC. The pictorial overview of the decentralized KDC is depicted in Fig. 2.The proposed decentralized architecture, also authenticate users, who want to remain anonymous while accessing the cloud. We proposed a distributed access control mechanism in clouds. In the preliminary version of this paper, we extend the previous work with added features which enables to authenticate the validity of the message without revealing the identity of user who has stored information in the cloud. The CRUD operations which are Create, Read, Update and Delete on the data stored in the clouds are done with utmost privacy and efficiently.
In this paper, we also address user revocation. We use attribute based signature scheme to achieve authenticity and privacy. Our scheme is resistant to replay attacks, in which user can replace fresh data with stale data from previous write, even if it no longer has valid claim policy. This is an important property because a user, revoked of its attributes, might no longer be able to write to the cloud. The proposed architecture consists of the following modules. The decentralized Key Distribution Centre architecture here considers two KDCs. The pictorial representation of the overall flow of the proposed architecture is depicted in Fig. 2a. The file recovery option implemented makes use of the String matching algorithm.
1) Service Request to TPA: The user sends request to the Third Party Authenticator(TPA) for registration.The user first registers with his original identity and enrolls with the Third Party Authenticator(TPA).Once registered with the TPA, the user is been provided with a token for further authorization.
2) TPA Policy Creation:The TPA along with token provides the rules and regulation to be followed by Creator, Reader and Writer. The TPA is given a set of rules and regulations to be followed on authenticating the user during registration.Based upon the policy the user receives a token accordingly.
3) TPA Policy Creation:The TPA along with token provides the rules and regulation to be followed by Creator, Reader and Writer.
4) User File Upload:The file creator after getting proper authentication encrypts the file and uploads his files in the cloud.The file creator can do CRUD operations on his own files and only if authorized the user can do CRUD operations on other users private files. An access list is been maintained by the cloud admin.
5) KDC Key Generation:The Key Distribution Centers which are decentralized generate different keys to different types of users after getting tokens from users.
6) Key Revocation:Whenever there is mishehavior detected upon a user his key is revoked and that particular user can neither use or re-enter the cloud environment.
7) Cloud Admin: Cloud admin has the list of Key Distribution Centres(KDCs) and Third Party Authenticator(TPA). The cloud admin sets the norms(rules and regulations) to be followed by TPA on authenticating the user and KDC on providing authorization to the user. It monitors the TPA policies and the key generation policies and informs abnormal behaviours.
8) File Recovery: The user has an option on recovery of files which are corrupted or missing. The user can enter the name of the file which is corrupted and he wants to recover. The copy of the original file will be returned to the user on request.
9) User Revocation: A blacklist of usage will be maintained by the cloud admin,based on the misbehaviour. If a user found to do inappropriate access, the particular user profile is been blaclisted and the user on continuous misbehaving history will be noted and his access to the privacy system is revoked completely and the user cannot login to the system again
C. COMPARISON OF OUR SCHEME WITH EXISTING ACCESS CONTROL SCHEMES
The comparison of the related schemes with lacked few enhancements are compared in the following table.
D. EXPECTED OUTPUT OF THE PRIVACY SYSTEM:
We have presented a privacy preserving access control technique which is decentralized. The cloud authenticates the user by verifying the credential’s even without knowing the original identity of the user. We also address user revocation and our scheme prevents replay attacks. Key distribution is done in a decentralized way. The individual user’s access policy is been concealed and known only to each particular user. This paper can overcome the top threats in clouds which are identified recently. The threats that can be overcome are data loss, insecure APIs, Denial of Service, abuse of cloud services, shared technology issues. The proposed work also has options for file recovery. Using this file recovery options make our privacy system an efficient system.
The authors would like to thank the reviewers for their valuable comments that helped to improve the quality of the paper.
SushmitaRuj, MilosStojmenovic, AmiyaNayak, "Decentralized Access Control with Anonymous Authentication for Securing Data in Clouds,"IEEE Transactions on Parallel and Distributed Systems, pp. 1045-9219, 2013.
 S. Ruj, M. Stojmenovic and A. Nayak, “Privacy Preserving Access Control with Authentication for Securing Data in Clouds”, IEEE/ACM InternationalSymposium on Cluster, Cloud and Grid Computing, pp. 556–563, 2012.
 C. Wang, Q. Wang, K. Ren, N. Cao and W. Lou, “Toward Secure and Dependable Storage Services in Cloud Computing”, IEEE T. ServicesComputing, vol. 5, no. 2, pp. 220–232, 2012.
 J. Li, Q. Wang, C. Wang, N. Cao, K. Ren, and W. Lou, “Fuzzy keyword search over encrypted data in cloud computing,” in IEEE INFOCOM. , pp. 441–445, 2010.
 S. Kamara and K. Lauter, “Cryptographic cloud storage,” in Financial Cryptography Workshops, ser. Lecture Notes in Computer Science, vol.6054.Springer, pp. 136–149, 2010.
 H. Li, Y. Dai, L. Tian, and H. Yang, “Identity-based authentication for cloud computing,” in CloudCom, ser. Lecture Notes in Computer Science, vol. 5931. Springer, pp. 157–166, 2009.
 C. Gentry, “A fully homomorphic encryption scheme,” Ph.D. dissertation, StanfordUniversity, 2009, http://www.crypto.stanford.edu/craig.
 A.-R. Sadeghi, T. Schneider, and M. Winandy, “Token-based cloud computing,” in TRUST, ser. Lecture Notes in Computer Science, vol. 6101.Springer, pp. 417–429, 2010.
 R. K. L. Ko, P. Jagadpramana, M. Mowbray, S. Pearson, M. Kirchberg, Q. Liang, and B. S. Lee, “Trustcloud: A framework for accountability and trust in cloud computing,” HP Technical Report HPL- 2011-38. Available at http://www.hpl.hp.com/techreports/2011/HPL-2011-38.html.
 R. Lu, X. Lin, X. Liang, and X. Shen, “Secure Provenance: The Essential of Bread and Butter of Data Forensics in Cloud Computing,” in ACM ASIACCS, pp. 282–292, 2010.
 D. F. Ferraiolo and D. R. Kuhn, “Role-based access controls,” in 15th National Computer Security Conference, 1992.
 A B Lewko and B Waters, “Decentralizing attribute based encryption”, springer 2011.