Achieve Fine Grained Data Access Control in Cloud Computing using KP-ABE along-with Lazy and Proxy Re-encryption

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 2, February 2014)

457

Achieve Fine Grained Data Access Control in Cloud

Computing using KP-ABE along-with Lazy and Proxy

Re-encryption

Hulawale Kalyani

, Paikrao Rahul

, Pawar Ambika

1_{ME Student,} 2_{Associate Professor, A.V.C.O.E. Sangamner.}

3_{Assistant Professor S.I.T. Lavale, Pune}

Abstract— The emerging cloud technologies, due to their various unique and attractive properties, are rapidly being adopted throughout the IT industry. In this paper, we identify security challenges that arise in incorporation of cloud-based services, and present a set of solutions to address them. To assure the user control over the access to their own data, it is a promising method to encrypt the data before outsourcing on cloud. Main issues such as privacy, scalability in key management, flexible access and efficient user revocation which are the most important considerations for gaining fine-grained, cryptographically used data access control.

Keywords— Public key cryptography, IDEA, KP-ABE,

Cloud computing, Proxy re-encryption, Lazy re-encryption.

I. INTRODUCTION

Cloud computing is rising from recent advances in technologies such as hardware virtualization, Web services, distributed computing, utility computing and system automation. It has already drawn immense attention, and its benefits have attracted number of users to outsource their local data centers to remote cloud servers In spite of its popularity, however, cloud computing has raised a range of significant security and privacy concerns which hinder its adoption in sensitive environments. The transition to cloud computing model exacerbate security and privacy challenges, mainly due to its dynamic nature and the fact that in this model hardware and software components of a single service span multiple trust domains. The dynamism of data introduces more risk and complicates the problem of access control. Moreover, cloud services are usually multi-tenancy services, meaning that a single infrastructure, platform, or software provides its services to multiple mutually untrusted parties simultaneously [19]. Therefore, confidentiality of these parties' data need to protected against each other. However, in some cases these parties may want to collaborate and share some data with each other in a controlled manner and thus there should be a mechanism that allows them to collaborate.

Traditional access control techniques are based on the assumption that the server is in the trusted domain of the data owner and therefore an omniscient reference monitor can be used to enforce access policies against authenticated users. However, in cloud based services this assumption usually does not hold and therefore these solutions are not applicable. In cryptographic access control techniques approaches, the data stored on untrusted storage is encrypted and the corresponding decryption keys are disclosed only to the authorized users. Therefore, the confidentiality of data is protected against untrusted storage as well as unauthorized users. However, the existing solutions [4, 11, 20] have scalability limitations that hinder their adoption in the cloud-storage settings. For securing data stored in cloud and achieving fine grained access control, the proposed scheme uses IDEA[17] , Key Policy based encryption, along with Proxy Re-encryption.KP-ABE[1,7] mainly concentrates on access control policy and PRE [1,15] delegates task of decryption key distribution to cloud server and for user revocation lazy re-encryption[1,16] is used . By uniquely combining these cryptographic techniques this scheme realizes a secure data exchange through cloud platform with minimum overhead on data owner

II. RELATED WORK

In [1,6], Vimercati et al proposed a scheme in which each file is encrypted with a symmetric key and each user is assigned a secret key. To permit the access right for a user, the owner creates corresponding public tokens from which, along with his secret key, the user is able to get decryption keys of desired files. The owner then transfer these public tokens to the semi-trusted server and assign the task of token distribution to it.

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 2, February 2014)

458 Each file is then encrypted with unique key which again further encrypted with lockbox-key of that group.

Ateniese et al [1, 5] proposed a safe distributed storage scheme based on proxy re-encryption. In this, the data owner encrypts the blocks of data with symmetric data keys and these keys are all encrypted with a public key, which is decrypted by the master private key that is kept by the data owner. The data owner uses his private key and user‘s public key to generate proxy re-encryption keys, with the help of which the semi-trusted server can then convert the ciphertext into that for a specific granted user and fulfill the task of access control.

Secure patient-centric access control (PEACE) [18] is a method for the upcoming electronic health care (eHealth) systems. In order to assure the privacy of patient personal health information (PHI), they define different access policies to different users according to their roles, and then assign different attribute sets to the data requesters. By using these different sets of attributes, build the patient-centric access policies of patient PHI. The PEACE scheme can assure PHI integrity and confidentiality by using digital signature and pseudo identity techniques.

III. PROGRAMMER‗SDESIGN OF PROPOSED SYSTEM

A. Mathematical Model with help of Theory of Project

1. Problem Description -Mathematical model for

proposed system:- Terms used in this are as follows:- Let S be a achieving fine grained data access control in cloud computing system using KP-ABE, lazy reencryption, proxy re-encryption

Such that S={I,F,O} Where, ‘I’ represents the set of inputs; Let I= {I1, I2, I3}

I1= File Uploading I2= File access structure I3= File attributes

And F is the set of functions;

Let F= {F1, F2, F3, F4}

F1=IDEA algorithm. F2=KP-ABE.

F3=Lazy re-encryption F4=.Proxy re-encryption

And O is the set of outputs;

O={O1,O2,O3,O4}

O1=Key Generation (Symmetric).

O2= Key Generation (Master, Public and Secret). O3=Key Updation. O4= File Decryption.

B.Set Representation

Fig.1.Set Representation

Figure 4 shows every input from set ‗I‘ goes through function F1, F2, F3 and F4 and each function gives separate output like F1 gives output O1, F2 gives output O2 and O4 and F3 gives output O3.

C. Data Flow Architecture

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 2, February 2014)

459 Figure 2 gives development of system in tree structure using data flow architecture. In file creation, the data owner firstly select a unique Id for the file and symmetric data encryption key (DEK) generated by IDEA algorithm encrypt it and define set of attributes for the data file and

encrypt DEK with attributes using KP-ABE. The data

owner can also update and delete the file and in deletion the data owner sends the file‘s ID along with his signature on this ID to Cloud Servers. If verification is true, then the Cloud Servers delete the data file. For new user data owner assigns access tree and unique ID for that user then cloud server generates and send the secret key using mail to the user.

IV. MODULES USED

This is a web based application developed in MVC three tier architecture. This system is build with cloud computing technology. Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network .End users access cloud-based applications through a web browser on a desktop while the application software and user's data are stored on servers at a remote location.

A.Data Owner(Teacher)

Data Owner is a person who will store the files in cloud which in turn accessed by the authorized Data Users.

Data Owner logged in he has following functions.

1.Login Module - Teacher or data owner can login by

providing Teacher ID and Password in order to upload file on server.

2.Set Attributes - This allows data owner to set t

attributes with the combination of which access structure is define.

3.Access Structure - Data Owner/teacher define access

structure for user in order to retrieve that file .If user satisfies this , he/she will get the file .If is not authorized person he will get the duplicate data for the search file.

4.File Upload - By using this data owner upload the file

on server in encrypted format.

5.Attribute based Key Distribution through e-mail –

User will get the key on mail Id .

6.Registration- Get registered by filling this and after

that password will get in order to access the system

B.Data User (Student)

Data user will receive their access key from respective data owner through email. With the help of the access key they can able to download the files for which they have access, access control is set by data owner. Suppose the data user wants to download any file, first he has to select file from the list and the system ask for the access key, After system getting the access key, if the user has the access he can download the encrypted file which in turn decrypted using the decryption key and download to the data consumer local system. Once the Data Consumer logged in he has following functions.

1. Login – Usercan login by providing Teacher ID

and Password in order to upload file on server.

2. File download to local system – Enter File Id or

select and enter the password that is mail to decrypt the file.

3. Registration - Get registered by filling this and

after that password will get in order to access the system

V. USER INTERFACE

When the application is started the data owner (teacher)/user (student), will be greeted by the screen in Figure 3. At this point, it is imperative that a connection with the database is possible before proceeding. After this, the following Figures 3-10 shows the related operations of Data Owner (Teacher), User (Student).

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 2, February 2014)

460

Fig 4. Data Owner (Teacher) Login

Fig 5 Attribute Set

Fig 6. Access Structure

Fig 7. File Upload

Fig 8. User Login

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 2, February 2014)

461

Fig 10. File Download

VI. CONCLUSION

In this we greatly reduce the complexity of key management along with the privacy compared. Uses ABE to encrypt the data, so that users can allow access to different domains/areas with different professional roles, qualifications. We enhance an existing ABE scheme to handle efficient and on-demand user deletion/revocation, and prove its security.

REFERENCES

[1] Shucheng Yu, Cong Wang, Kui Ren, and Wenjing Lou, ―Achieving Secure,Scalable, and Finegrained Data Access Control

in Cloud Computing,‖ in Proc. of INFOCOM‘10 , 2010

[2] M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Konwinski,G. Lee, D. A. Patterson, A. Rabkin, I. Stoica, and M. Zaharia,‖Above the clouds: A berkeley view of cloud computing,‖ University of California, Berkeley, Tech. Rep. USB-EECS-2009-28, Feb 2009.

[3] J. Li, N. Li, and W. H. Winsborough,‖Automated trust negotiation using cryptographic credentials,‖ in Proc. of CCS‘05, 2005. [4] E. Goh, H. Shacham, N. Modadugu, and D. Boneh,‖Sirius: Securing

remote untrusted storage, ‖in Proc.of NDSS‘03, 2003.

[5] G. Ateniese, K. Fu, M. Green, and S. Hohenberger,‖ Improved proxy re-encryption schemes with applications to secure distributed storage, ‖ in Proc. of NDSS‘05, 2005.

[6] S. D. C.di Vimercati,S. Foresti, S. Jajodia,S. Paraboschi, and P. Samarati,‖Over-encryption: Management of access control evolution on outsourced data, ‖ in Proc. of VLDB‘07, 2007.

[7] V. Goyal, O. Pandey, A. Sahai, and B. Waters,‖ Attribute-based encryption for fine-grained access control of encrypted data,‖ in Proc. of CCS‘06, 2006.

[8] Q. Wang, C. Wang, J. Li, K. Ren, and W. Lou,‖Enabling public verifiability and data dynamics for storage security in cloud computing‖, in text Proc. of ESORICS‘09, 2009.

[9] S. Yu, K. Ren, W. Lou, and J. Li,‖Defending against key abuse attacks in kp-abe enabled broadcast systems‖, in text Proc. of SECURECOMM‘09, 2009.

[10] M. Atallah, K. Frikken, and M. Blanton,‖ Dynamic and efficient key management for access hierarchies‖, in Proc. of CCS‘05, 2005. [11] M.Kallahalla, E. Riedel , R. Swaminathan,Q. Wang, and K. Fu,

‖Scalable secure file sharing on untrusted storage,‖ in Proc. of FAST‘03, 2003.

[12] D. Naor, M. Naor, and J. B. Lotspiech,‖Revocation and tracing schemesfor stateless receivers,‖ in Proc. of CRYPTOA, 2001. [13] ACL. http://en.wikipedia.org/wiki/Access control list

[14] M. Atallah, K. Frikken, and M. Blanton, ―Dynamic and efficient key management for access hierarchies,‖ in Proc. of CCS‘05, 2005. [15] M. Blaze, G. Bleumer, and M. Strauss, ―Divertible protocols and

atomic proxy cryptography,‖ in Proc. of EUROCRYPT ‘98, 1998. [16] M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, and K. Fu,

―Scalable secure file sharing on untrusted storage,‖ in Proc. of FAST‘03, 2003.

[17] International Data Encryption Algorithm. International Data Encryption Algorithm. CS-627-1. Fall 2004. By. How-Shen Chang [18] Benaloh, J., Chase, M., Horvitz, E., and Lauter, K. (2009)