International Journal of Engineering Technology and Computer Research (IJETCR) Available Online at www.ijetcr.org
Volume 5; Issue 5; September-October: 2017; Page No. 146-152
File Hierarchy Attribute based Efficient Encryption Scheme in Cloud Computing
Radhika Balkunde1, Mr. Ramakrishna Prasad A L2
1M.tech Research Scholar, Dept. of CSE, VTU-CPGS, Bangaluru Region – 562101 [email protected]
2Assistant Professor, Dept of CSE, VTU-CPGS, Bangaluru Region – 562101
Abstract
Cipher text based encryption algorithm is widely used in cloud based environment due to their high reliability and efficiency. It is used to solve the challenging issues in multiuser secure data sharing scenario. These shared files over cloud have the hierarchical arrangement and multilevel hierarchical arrangement to store them. The scenario is evident in military and healthcare applications as it is mission critical and life critical data. However this architecture does not hold good in cloud application secure data sharing as the hierarchy is not maintained.
In this work, an efficient file hierarchy attribute based algorithm for secure data sharing in multiuser cloud environment is proposed. The proposed method is secure and reliable under standard assumptions and follows the possible security measures. The work is tested and verified by performing user evaluation.
Keywords: Data Sharing; File Hierarchy; Ciphertext-policy 1. INTRODUCTION
With the advancements in the network technology, the amount of data present over web is increasing drastically and so is the online data sharing. Cloud based data sharing is the next big thing in the market.
There are various such popular tools as Facebook, MySpace, Badoo etc. Cloud computing is one of the secure and most popular data sharing platform to resolve the excessive data sharing demand and expanding data centers. In cloud computing the data is stored in cloud, a virtual, non-physical storage space. Hence it becomes necessary to encrypt the data and provide secure access to the information stored. It also should deal with data theft and authenticated data access. Secure cloud storage must follow the data sharing principles. Access control [1- 2] is the first standard in cloud security which deals with principles of establishing the authorized data access.
In recent years Attribute based Encryption (ABE) [3-5]
has attracted the attention since it enables maintaining data privacy and realize fine-grained, one-to-many, and non-interactive access control.
Ciphertext-policy attribute based encryption (CP-ABE) [6-14] is one of the more feasible scheme which provides flexibility and is more suitable of general
cloud computing, as in Fig.1 authority accepts the user enrollment and creates some authentication parameters. Cloud Security Providers (CSP) is the manager of the cloud servers and provides multiple services to client in both single owner and multi- owner environment. Data is encrypted by data owners and uploads the encrypted data form which is the ciphertext to the CSP. Users download and decrypts these encrypted ciphertext from CSP. The shared files usually placed in a hierarchical structure.
The shared files are usually placed in hierarchical structure. These encrypted files are divided in to groups and sub-groups and are located at different access levels. If the files are in the same hierarchy level then the file structure could be encrypted by and integrated access structure the computation cost for storage of the ciphertext and time cost or the retrieval cost for encryption could be reduced to enhance the storage and boost the retrieval time.
Let us take personal health record (PHR) for example, to share this information securely in cloud environment a patient divides his personal information say X in to three parts x1, which contain his personal information such as name, address, emergency contacts etc. x2 say list of various doctors he consulted and their information such as name, hospital they work for, address of their clinic, etc.,
and x3 as his medical records which does not contain any sensitive PII data such as medical tests, results, operation notes and other information. Such patient adopts this method of data sharing i.e., CP-ABE to encrypt the information x1, x2 and x3 via different access policies based on his or her needs. Let us say the consulting physician needs to access all the three records to understand better about patient to do a better diagnosis. Medical researcher needs access to some medical test and their result information for academic research in this area. The other patients such as relatives or friends if affected by same issues might need the information about the doctors to consult will need access to only x3. Let us assume patient has set the structure say for x1, A1
{“Researcher” AND “Attending physician”}, for x3, A3
{“Friends and Relatives”AND “Attending physician”}for x3, A3{“Researcher”AND “Attending physician”}. The example is explained in Fig. 1.
Fig 1: A typical example of data sharing in multiuser cloud environment
Fig. 2: The integrated access structure.
Hence the possible ciphertexts are CT1 = CT3 = {T1, ˜ C1,C1,∀y ∈ Y1: Cy,C′y} where Y1={“Researcher” AND
“Attending physician”} and CT2 = {T2, ˜ C2,C2,∀y ∈ Y2: Cy,C′y}where Y2={“Cardiology”, “Researcher”} will be produced. From figure it is evident that both the structures have hierarchical structure possible which is extension of T2. They could be integrated one as in Fig 2.
Contribution: In this work, a layered model based efficient encryption scheme is proposed in cloud computing, named as file hierarchical structure based CP-ABE scheme (FH-CP-ABE) which is an extension of existing CP-ABE. There are three major contribution in this paper
1. To solve the problem of multiple hierarchical files sharing a layered architecture is proposed. These files are encrypted with common integrational structure.
2. It is secure and prevents the attacks such as plain text attacks (CPA) under the Decisional Bilinear Diffie- Hellman (DBDH).
3. Low storage cost and computational cost for encryption and decryption due to integrated layered architecture.
It differs from existing methods as it uses the layered architecture in flat directory hierarchical manner. It distributes the work of key creation on multiple domain authorization hence it reduces the traffic at authority for key distribution thereby reducing the network congestion.
Related Work
Sahaiand Waters [3] proposed fuzzy Identity Based Encryption (IBE) in 2005 which acted as the base for ABE encryption scheme. In parallel, another variant of ABE named CP-ABE [4-7], [5], [17] was proposed.
S. L. Wang et al., [18], proposed an encryption scheme will not only decrease the number of access structures to one, but also only require a secret key to decrypt all the authorization files. It is proved to be secure against the chosen-plaintext attack (CPA) under the decision bilinear Diffie-Hellman (DBDH) assumption.
Tanveer K et al., [19] proposed an efficient file hierarchy attribute-based encryption scheme is proposed in cloud computing. The layered access structures are integrated into a single access structure, and then, the hierarchical files are encrypted with the integrated access Structure.
J. Bethencourt, Amit Sahai, Brent Waters [20], a system for realizing complex access control on
encrypted data that we call Cipher text-Policy Attribute-Based Encryption. Lightweight devices, such as radio frequency identification tags, have a limited storage capacity, which has become a bottleneck form any applications, especially for security applications.
Shulan Wang et al., [21], an efficient file hierarchy attribute-based encryption scheme (FH-CP-ABE). The layered access structures are integrated into a single access structure, and then the hierarchical files are encrypted with the integrated access structure.
Architecture and Terminologies
Fig. 3 shows the schematic representation of the FH- CP-ABEsystem. It consists of 6 phase’s symmetric encryption and symmetric decryption based file sharing mechanism. There can be various files which needs to be shared over cloud and various access policies defined by the user for the same. Let us say m1, m2, m3 …. mnare the list of access policies defined by the user. The same needs to be encrypted to transfer and send over the cloud source. Further the specific key needs to be decrypted on the receiver side to decrypt the same. The following are the steps followed in this process. It covers all the encryption and decryption policy and the file sharing mechanism.
1. Symmetric encryption to generate the content key 2. ContentCiphertext Generation
3. FH-CP-ABE encryption
4. Content key and ciphertext generation 5. FH-CP-ABE decryption
6. Symmetric decryption Symmetric encryption
Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext.The keys may be identical or there may be a simple transformation to go between the two keys.
Content Ciphertext Generation
In this phase all the access policies are and the files are passed through the symmetric encryption scheme to generate the content key ck1, ck2, ck3 ….
Cknrespectively.
FH-CP-ABE encryption
In file hierarchy Ciphertext-policy attribute based encryption (FH-CP-ABE) takes the ciphertext content key generated by the symmetric encryption and the files in the file system which needs to be shared.
Further they are combined and passed to the encryption method.
Content key and ciphertext generation
The files along with the content key are taken to generate the content key and the ciphertext. These are combined to get the ciphertext content key. This key is passed further over the web to recipient using which they are decrypted.
FH-CP-ABE decryption
The files along with the content key are received at the user end and are passed through the decryption algorithm to generate content key back. These keys might be identical to the one generated at the time of encryption. If the same keys are generated and checksum is validated that means the proper lossless transmission has occurred. If not the files are retransmitted to get the proper content key.
Symmetric decryption
At the end of FH-CP-ABE decryption the content keys are generated back. These content keys are passed through the symmetric decryption to get back the files. The generated content keys are passed back to the symmetric decryption process to get the decrypted files. Which are readable by the end user as shown in Fig. 3. The overall file ciphertext is given as Eck = {Eck1(m1), Eck2(m2), …. Eckn(mn)}.
There are various terminologies which are involved in this work and they are as follows
1. Access Structure 2. Bilinear Maps 3. DBDH assumption 4. Hierarchical Access Tree
5. Systematic Definition and basic construction.
These are explained as follows A. Access Structure
An access tree is the hierarchical representation of the various level of users who can access the files in the cloud system let P = {P1, P2,P3, … Pn} are the set of parties that are allowed to access the files that are shared over the cloud environment. A collection ‘A’
belongs to ‘P’ is called authorized set if A is the non- empty set of the ‘P’, otherwise and has the rights to access the files, otherwise the sets are called the unauthorized sets.
B. Bilinear Maps
Let G0 and G1 be the groups of the primary order p.
then G0 is the bilinear map if the mapping e: G0 x G0
GT. And it must follow the properties as bi-linearity, non-degeneracy, computability.
C. DBDH Assumption
1. We say that the DBDH assumption holds if no polynomial algorithm has a non-negligible advantage in solving the DBDH problem.
2. The FH-CP-ABE scheme consists of four operations: Setup, KeyGen, Encrypt and Decrypt
3. The proposedschemeis said to besecureagainst CPA if no probabilistic polynomial-time adversaries have non-negligible advantage in the above game 4. Suppose DBDH assumption holds. Then no polynomial adversary can selectively break the proposed system
D. Hierarchical Access Tree
An access tree is the hierarchical representation of the various level of users who can access the files in
the cloud system. Fig 4. An example of three-level access tree.
Fig. 3: The system framework of FH-CP-ABE scheme.
Fig 5: An example of FH-CP-ABE scheme used in cloud computing. Data owner encrypts content keys ck = {ck1,ck2} under the access policy T. Users decrypt some or all content keys if users’ attribute set satisfies part or the whole T.
Fig 4: An example of three-level access tree.
E. Systematic Definition and basic construction Authority: it is the completely trusted entity that accepts the user enrollment and issues the keys to encryption and decryption for set up such as setup and KeyGen.
Cloud Service Provider: These are the entities providing facilities such as storage and access to the files that are shared and stored on cloud.
Data owner: Data owners are the ones who actually share the data over cloud system and have every right to access or delete the data. Most commonly is the user who uploads their information over web.
User: Users are one who access the data available over the cloud systems.
Proposed Architecture
The proposed architecture consists of 4 major components
1. Authority
2. Encryption Scheme 3. Cloud Service Providers 4. Users
Authority
Authority is the trusted party responsible for Setup and KeyGen.
Setup (1k): The initial setup is called as Setup, in which the authority generates key with security parameter [22-26]k and chooses random number α,β∈ Zp and generates the keys as PK = {G0,g,h = gβ,e(g,g)α} and MSK = {gα,β}
KeyGen (PK, MSK, S): The authority executes the algorithm which inputs a set of attributes S(S ⊆ ˜ A) and creates a secret key SK, where r ∈Zp and rj∈Zpare randomly chosen for each user and each attribute j ∈ S. SK = {D = gα ·hr, ∀j ∈ S : Dj = gr ·H1(j)rj,D′ j = hrj }
Encryption Scheme Encryption:
Ci = ckie(g,g)αsi,C′i = gsi
C(x,y) = hq(x,y)(0)
C′ (x,y) = H1(att(x,y))q(x,y)(0)
ˆ C(x,y),j ={ e(g,g)α·(q(x,y)(0)+qchildj (0)) ·H2(e(g,g)αq(x,y)(0))} CT = {T, ˜ Ci,C′i,C(x,y), C′(x,y), ˆ C(x,y),j}
Decryption:
DecryptNode(CT,SK,(x,y)) = e(Di,C(x,y)) e(D′i,C′(x,y))
=e(grH1(i)ri,hq(x,y)(0)) / e(hri,H1(att(x,y)q(x,y)(0)))
= e(g,g)rβq(x,y)(0)
Cloud Service Providers
Cloud service providers provide the functionalities and the access right to the data saved over web. They allocate and manage the space over cloud system.
This is used to extend the service to the end users and allow them to fetch the data over globally dispersed network. They rely mostly on user credential authorization and on user certificate evaluation. The trusted entities evaluate these certificate and allow features as store and retrieve the data present online.
Users
Users are the critical and most important part of the system. They load the data over cloud and assign the policies to share. Based on these policies the hierarchical structure is formed and analyzed to generate the access tree and provide the system concurrency access to restrict the unauthorized access and enforce the security policies. The same is true for the decryption side. Users give their credentials to the authorization party and receive the keys as per the share rights and use them to decrypt the file information and access them as per allowed usage.
Conclusions
In this work, we propose the CP-ABE based encryption-decryption algorithm to efficiently share the files in hierarchical manner in multi-user cloud environment and can be used in cloud computing.
These stored hierarchical files are encrypted in an integrated manner to reduce the storage space and reduce the time complexity while retrieving the same. As a result the overall efficiency is increased.
Further is enables users easy decryption and the cost of decryption is also reduced. The proposed method is secure and follows the DBDH principles to give the
References
1. T. H. Yuen, J. K. Liu, M. H. Au, X. Huang, W. Susilo, and J. Zhou, “ktimes attribute-based anonymous access control for cloud computing,” IEEE Transactions on Computers, vol. 64, no. 9, pp.
2595–2608, September 2015.
2. J. K. Liu, M. H. Au, X. Huang, R. Lu, and J. Li, “Fine- grained twofactor access control for web-based cloud computing services,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 3, pp. 484–497, March 2016..
3. Sahai and B. Waters, “Fuzzy identity-based encryption,” Advances in Cryptology–
EUROCRYPT, pp. 457–473, May 2005.
4. V. Goyal, O. Pandey, A. Sahai, and B. Waters,
“Attribute-based encryption for fine-grained access control of encrypted data,” Proceedings of the 13th ACM conference on Computer and communications security, pp. 89–98, October 2006.
5. W. Zhu, J. Yu, T. Wang, P. Zhang, and W. Xie,
“Efficient attribute-based encryption from R- LWE,” Chinese Journal of Electronics, vol. 23, no.
4, pp. 778–782, October 2014.
6. Bethencourt, A. Sahai, and B. Waters,
“Ciphertext-policy attributebased encryption,”
IEEE Symposium on Security and Privacy, pp.
321– 334, May 2007.
7. Cheung and C. Newport, “Provably secure ciphertext policy ABE,” Proceedings of the 14th ACM conference on Computer and communications security, pp. 456–465, October 2007.
8. Ibraimi, M. Petkovic, S. Nikova, P. Hartel, and W.
Jonker, “Mediated ciphertext-policy attribute- based encryption and its application,”
Information Security Applications, pp. 309–323, August 2009.
9. X. Xie, H. Ma, J. Li, and X. Chen, “An efficient ciphertext-policy attribute-based access control towards revocation in cloud computing,” Journal of Universal Computer Science, vol. 19, no. 16, pp. 2349–2367, October 2013.
10. F. Guo, Y. Mu, W. Susilo, D. S. Wong, and V.
Varadharajan, “CP-ABE with constant-size keys for lightweight devices,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 5, pp. 763–771, May 2014.
11. Balu and K. Kuppusamy, “An expressive and provably secure ciphertext-policy attribute-based
encryption,” Information Sciences, vol. 276, pp.
354–362, August 2014.
12. X. Liu, J. Ma, J. Xiong, and G. Liu, “Ciphertext- policy hierarchical attribute-based encryption for fine-grained access control of encryption data,”
International Journal of Network Security, vol. 16, no. 6, pp. 437–443, July 2014.
13. Y. Chen, Z. L. Jiang, S. Yiu, J. K. Liu, M. H. Au, and X. Wang, “Fully secure ciphertext-policy attribute based encryption with security mediator,”
Proceedings of the 16th International Conference on Information and Communications Security, vol. 8958, pp. 274–289, December 2014.
14. Y. Yang, J. K. Liu, K. Liang, K. R. Choo, and J. Zhou,
“Extended proxy-assisted approach: Achieving revocable fine-grained encryption of cloud data,”
Computer Security in ESORICS 2015, vol. 9327, pp. 146–166, September 2015
15. H. Zheng, Q. Yuan, and J. Chen, “A framework for protecting personal information and privacy,”
Security and Communication Networks, vol. 8, no. 16, pp. 2867–2874, November 2015.
16. F. Xhafa, J. Wang, X. Chen, J. K. Liu, J. Li, and P.
Krause, “An efficient PHR service system supporting fuzzy keyword search and finegrained access control,” Soft Computing, vol. 18, no. 9, pp. 1795–1802, September 2014.
17. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” Public Key Cryptography–
PKC, vol. 6571, pp. 53–70, March 2011.
18. L. Wang et al., "A Novel File Hierarchy Access Control Scheme Using Attribute-Based Encryption", Applied Mechanics and Materials, Vols. 701-702, pp. 911-918, 2015.
19. J. Bethencourt, A. Sahai, and B. Waters,
“Ciphertext-policy attribute-based encryption,” in Proc. IEEE Symp. Secur. Privacy, May 2007, pp.
321–334.
20. J. Hur, “Improving security and efficiency in attribute-based data sharing,” IEEE Transactions on Knowledge and Data Engineering, vol. 25, no.
10, pp. 2271–2282, August 2013.
21. M. Green, S. Hohenberger, and B. Waters,
“Outsourcing the decryption of ABE ciphertexts,”
Proceedings of the 20th USENIX Conference on Security, August 2011.
22. J. Lai, R. H. Deng, C. Guan, and J. Weng,
“Attribute-based encryption with verifiable outsourced decryption,” IEEE Transactions on
Information Forensics and Security, vol. 8, no. 8, pp. 1343–1354, August 2013.
23. S. Hohenberger and B. Waters, “Online/offline attribute-based encryption,” Public-Key
Cryptography–PKC, vol. 8383, pp. 293–310, March 2014.
24. De Caro and V. Iovino, “JPBC: java pairing based cryptography,” IEEE Symposium on Computers and Communications, pp. 850–855, June 2011
