251
The CP-ABE with Verifiable Outsourced Decryption
Approach With user’s Privilege Control.
Miss S.M.Mahalle
Dr.V.M.Thakare
SGBAU, Amravati
SGBAU, Amravati
India.
India.
[email protected]
[email protected]
ABSTRACT:
Data access control is one of the most important security
mechanism in cloud computing. Access control generally suggests
that there is an active user and/or application process, with a
desire to read or modify a data object. Access control involves
two steps are authentication and authorization. It assures
integrity and confidentiality of data. This paper is focused on
access control schemes such as Comparison-based encryption
(CBE), Revocable CP-ABE, Attribute-Based Encryption (ABE)
with Outsourced Decryption, AnonyControl and
AnonyControl-F, Extended Constant-size Ciphertext Policy Comparative
Attribute-Based Encryption (ECCP-CABE) scheme.
For security purpose in cloud computing there is a need to focus
on data content privacy and also on user identity privacy. So this
paper proposes a new access control method i.e CP-ABE with
verifiable outsourced decryption scheme with user’s Privilege
Control. This method fully prevents the user’s identity leakage
and achieves the full anonymity and data access is control by
CP-ABE scheme with verifiable outsourced decryption. Verifiability
provides guarantee on the correctness of the transformation is
done by the cloud server.
Keywords—Data access control, CP-ABE, Attribute-Based
Encryption, outsourced Decryption, AnonyControl and
AnonyControl-F, Extended Constant-size Ciphertext Policy
Comparative Attribute-Based Encryption.
I) INTRODUCTION
In cloud environment, data access control has been an
increasing concern. It is a challenging issue for cloud storage
systems. Access control is one of critical security mechanisms
for data protection in cloud applications. Traditional data
access control approaches usually assume that data is stored in
a trusted data server for all users. In cloud computing this
methods are no longer suitable for cloud storage systems
assumption however no longer holds since the data owners
and cloud servers are very likely to be in different domains.
Hence, attribute-based encryption (ABE) has been provide
into cloud computing to encrypt outsourced sensitive data in
terms of access policy on attributes describing the outsourced
data, and only authorized users can decrypt and access the
data. A new efficient framework for cloud computing is
Constant-size Ciphertext Policy Comparative Attribute-Based
Encryption (CCP-CABE) with the support of negative
attributes and wildcards.
This paper discusses various methods such as
Comparison-based encryption (CBE), Revocable CP-ABE,
Attribute-Based Encryption (ABE) with Verifiable
Outsourced Decryption, AnonyControl and AnonyControl-F,
Extended Constant-size Ciphertext Policy Comparative
Attribute-Based Encryption (ECCP-CABE) scheme. The
proposed method CP-ABE with verifiable outsourced
decryption and user’s Privilege Control improve the
performance of access control mechanism in cloud computing.
II) BACKGROUND
The study on information flow control discusses the most
252 innovative comparison-based encryption scheme facilitate
fine-grained access control in cloud computing. By using
forward/backward derivation functions, paper introduce
comparison relation into attribute-based encryption to
implement various range constraints on integer attributes, such
as temporal and level attributes [1].
Revocable CP-ABE scheme the access policy is defined and
enforced by data owners rather than by cloud server. And the server is not required to be fully trusted and data owners are not
required to be online all the time. This scheme only requires to update those components associated with the revoked attribute in
the ciphertext, while the other components are not changed. So,
this scheme can greatly improve the efficiency of attribute revocation. This scheme incurs less storage overhead and less computation cost and communication overhead [2].
Attribute-based encryption (ABE) is a public-key based
one-to-many encryption technique. In this users can encrypt and
decrypt data based on user attributes. One of the main
drawbacks of the ABE schemes is that decryption involves
expensive pairing operations and the number of such
operations grows with the complexity of the access policy [3].
AnonyControl and AnonyControl-F schemes are tolerant against authority compromise, and compromising of up to (N −2)
authorities does not bring the whole system down. And guarantees the confidentiality of Data Consumers’ identity
information; and tolerates compromise attacks on the authorities or the collusion attacks by the authorities [4].
ECCP-CABE is used o satisfy the application requirement that
the data owners need to share data with a policy written over
attributes issued across various attribute domains. This
method is to prioritize different attribute domains to reflect
different levels of confidentiality across domains. In
ECCP-CABE, if one attribute range of the data user cannot satisfy
the access policy in the corresponding attribute domain, then
the decryption process stops and the access policy over the
remaining attribute domains is still hidden. [5].
This paper introduces five flow/access control methods i.e
Comparison-based encryption (CBE), Revocable CP-ABE,
Attribute-Based Encryption (ABE) with Verifiable
Outsourced Decryption, AnonyControl and AnonyControl-F,
Extended Constant-size Ciphertext Policy Comparative
Attribute-Based Encryption (ECCP-CABE) scheme. And
these are organizes as follows. Section I Introduction. Section
II discusses Background. Section III discusses previous work.
Section IV discusses existing methodologies. Section V
discusses attributes and parameters and how these are affected
on IFC. Section VI proposed method and outcome result
possible. Finally section VII Conclude this review paper.
III)PREVIOUS WORK DONE
In research literature, to improved information flow control,
increase efficiency using recent techniques [1][2][3][4][5].
Comparison-based encryption (CBE) scheme is secure against
collusion privilege attack, chosen derivation-key attacks
(KS-CDA) and cycling attack. Comparison-based encryption (CBE)
scheme is more efficient and in this the decryption overheads
is effectively apportioned over cloud servers and clients. It has
less computational cost [1]. The Attribute-based access
control with efficient revocation in data outsourcing systems
allowing the server to re-encrypt the ciphertext with a set of
attribute group keys. It can conduct the access right revocation
on attribute level rather than on user level [2]. In
Attribute-based encryption with fast decryption scheme the decryption
algorithm only requires a constant number of pairing
computations. Attribute-based encryption schemes with
constant-size ciphertexts illustrate CP-ABE and KP-ABE
scheme with constant-size ciphertexts. In this the decryption
algorithm only requires a constant number of pairing
computations. [3]. In AnonyControl-F scheme the access tree
is use as a privilege tree. The privilege in the scheme is
defined as similar to the privileges managed in ordinary
operating systems. A data file has several executable
operations and each of them is allowed only to authorized
users with different level of qualifications [4].
A scheme that provides efficient and secure access control in a
cloud environment is CCP-CABE. CCP-CABE can predefine
253 Its encryption and decryption overhead over the data owners and data users also stay constant irrespective of the number of
attributes [5].
IV)EXISTING METHODOLOGIES
There are different methodologies that are implemented for
access control in cloud computing i.e Comparison-based
encryption (CBE), Revocable CP-ABE, Attribute-Based
Encryption (ABE) with Verifiable Outsourced Decryption,
AnonyControl and AnonyControl-F, Extended Constant-size
Ciphertext Policy Comparative Attribute-Based Encryption
(ECCP-CABE) scheme.
comparison-based encryption (CBE) is a scheme to
facilitate fine-grained access control in cloud computing
which not only provides O(1) size of private-key and
ciphertext for each range attribute, but also supports the
provable security under RSA and CDH assumption.CBE
scheme provides exactly an effective approach to regulate
outsourced sensitive data, which enables only authorized users
to access data based on the various attributes [1].
Revocable CP-ABE is a techniques to achieve
fine-grained data access control for cloud storage systems. In this
the access policy is defined and enforced by data owners
rather than by cloud server. And the server is not required to
be fully trusted and data owners are not required to be online
all the time. This method encrypt each content key, such that
only the user whose attributes satisfy the access structure in
the ciphertext can decrypt the content keys. Users with
different attributes can decrypt different number of content
keys and thus obtain different granularities of information
from the same data [2].
In ABE with verifiable outsourced decryption
Verifiability provides guarantee on the correctness of the
transformation is done by the cloud server. This scheme does
not rely on random oracles. In CP-ABE scheme with
outsourced decryption a user only needs to know a small part
of the original ciphertext to verify the correctness of the
transformation done by the cloud in the algorithm Decryptout.
In this model, using the algorithm Gen TKout and his private
key, the user generates the transformation key by himself, not
by the trusted party. The security of this scheme ensures that
an adversary (including a malicious cloud) not be able to learn
anything about the encrypted message and verifiability allows
a user to check on the correctness of the transformation done
by the cloud [3].
AnonyControl is a semianonymous privilege control scheme to address not only the data privacy, but also the user identity
privacy in existing access control schemes. It decentralizes the
central authority to limit the identity leakage and thus achieves semianonymity. AnonyControl-F scheme fully prevents the
identity leakage and achieve the full anonymity. Both AnonyControl and AnonyControl-F are secure under the
decisional bilinear Diffie–Hellman assumption. These schemes are able to protect user’s privacy against each single authority [4].
. CCP-CABE is a new Constant-size Ciphertext Policy
Comparative Attribute-Based Encryption with the support of
negative attributes and wildcards. It provide efficient and
secure access control in a cloud environment. CCP-CABE can
predefine different range intersection relationships on
different attributes. It enseures the sizs of key and ciphertext
overhead remain constant regardless of the number of
attributes. Extended CCP-CABE is used o satisfy the
application requirement that the data owners need to share
data with a policy written over attributes issued across various
attribute domains. [5].
Following figure shows the data access control model in cloud
storage.
254 V)ANALYSIS AND DISCUSSION
CBE scheme provides exactly an effective approach
to regulate outsourced sensitive data, which enables only
authorized users to access data based on the various attributes.
The forward and backward derivative function used in this
scheme is easy to compute and the bilinear pairing operation
consumes more memory usage and CPU time than other
operations. The forward and backward derivative function
used in scheme is hard to invert [1].
In Revocable CP-AB the access policy is defined and
enforced by data owners rather than by cloud server. And the
server is not required to be fully trusted and data owners are
not required to be online all the time. It has less computation
cost and communication overhead and also incurs less storage
overhead. The revocation is conducted efficiently on attribute
level rather than on user level [2].
CP-ABE with verifiable outsourced Descryption scheme
reduced the computation time required for resource-limited
devices to recover plaintexts. It provides security against
chosen ciphertext attack. But the complexity of ciphertext
policy impacts both the decryption time and the ciphertext
size [3].
AnonyControl scheme provide not only the data privacy, but
also the user identity privacy. AnonyControl F scheme fully
prevents the identity leakage and achieve the full anonymity.
Both AnonyControl and AnonyControl-F schemes are able to protect user’s privacy against each single authority. And these
schemes achieve not only fine-grained privilege control but
also identity anonymity while conducting privilege control based on users’ identity information [4].
CCP-CABE and ECCP-CABE schemes are both secure
against various attacks. It prevent honest-but-curious cloud
service owners from decrypting ciphertext and countering key
collusion attacks from multiple data owners and users. But
CCP-CABE scheme does not fit with multiple attribute
domain. [5].
IFC
Techniques
Advantages Disadvantages
Comparison-based encryption
1) It provide
security against
collusion privilege
attack, chosen
derivation-key attacks (KS-CDA) and cycling attack
In this scheme the
bilinear pairing
operation consumes
more memory usage and CPU time than other operations
Revocable
CP-ABE
1) It achieves both
forward and
backward security. 2) It incurs less
computation cost
and communication overhead and also incurs less storage overhead.
The forward security in revocable CP-ABE will no longer be guaranteed.
ABE with Verifiable Outsourced Decryption
1) It reduced the
computation time
required for
resource-limited devices to recover plaintexts.
2) It provide
security against
chosen ciphertext attack.
In this the complexity of ciphertext policy impacts both the decryption time and the ciphertext size. .
AnonyControl &
AnonyControl-F
1) AnonyControl F
scheme fully
prevents the identity leakage and achieve the full anonymity. 2) Both schemes,
guarantees the
confidentiality of
Data Consumers’
identity information.
Extra communication
overhead is a
problematic issue in AnonyControl-F. For
each attribute
category, the user is involved in a 1-out-of-n OT which 1-out-of-needs
O(n) rounds of
communication.
ECCP-CABE 1) It minimizes the computation overhead on data owners and data users irrespective of
the number of
attributes.
2) It keeps both the ciphertext size and key size constant irrespective of the number of involved attributes
ECCP-CABE scheme does not fit with
multiple attribute
domain.
TABLE 1: Comparisons between CBE, Revocable CP-ABE, ABE
with Verifiable Outsourced Decryption, AnonyControl-F
255
VI)PROPOSED METHODOLOGY
Many strategies of data access control have been used, such as
Revocable CP-ABE, ABE with Verifiable Outsourced
Decryption, and ECCP-CABE scheme, each of which has its
own special characteristics. Among the data access control
methods, Revocable CP-ABE is a technique to achieve
fine-grained data access control for cloud storage systems. This
scheme incurs less storage overhead and less computation cost
and communication overhead. The CCP-CABE scheme
incorporates wildcards and negative attributes so it can handle
more expressive types of access control. In ABE system with
outsourced decryption ensures that an adversary will not be
able to learn anything about the encrypted message, but it
does not guarantee the correctness of the transformation done
by the cloud and does not focus on privilege control and
identity privacy of users. So this can be overcome by using
new proposed method “CP-ABE with verifiable outsourced
decryption scheme with user’s Privilege Control”.
In proposed scheme a user only needs to know a small part of
the original ciphertext to verify the correctness of the
transformation done by the cloud in the algorithm. The term
Verifiability provides guarantee on the correctness of the
transformation is done by the cloud server. A CP-ABE
scheme with verifiable outsourced decryption consists of
seven algorithms are Setup, KeyGen Encrypt, Decrypt, Gen
TKout, Transformout, Decryptout. Using the algorithm Gen TKout
and his private key, the user generates the transformation key
by himself, not by the trusted party. The security of this
scheme ensures that an adversary (including a malicious cloud)
not be able to learn anything about the encrypted message and
verifiability allows a user to check on the correctness of the
transformation done by the cloud. In a CP-ABE scheme, the
complexity of ciphertext policy impacts both the decryption
time and the ciphertext size.
Like other attribute based encryption schemes, proposed
scheme does not only focus on data content privacy and
access control but also on user identity privacy. Besides, it
also generalizes the file access control to the privilege control,
by which privileges of all operations on the cloud data can be
managed in a fine-grained manner. This method fully prevents
the user’s identity leakage and achieve the full anonymity.
Following figure shows general flow of scheme to allow cloud servers to control user’s access privileges without knowing
their identity information.
…
Request N attribute authorities public Key Request private 1 3 key
2 4
Outsourced Encrypted download encrypted file file
Cloud servers
Fig.2: Flow of scheme
OUTCOME AND POSSIBLE RESULT
Thus proposed scheme is secure and verifiable. This scheme
substantially reduced the computation time required for
resource limited devices to recover plaintexts. This scheme
achieve not only fine-grained privilege control but also
identity anonymity while conducting privilege control based on users’ identity information. So this approach is serving all
the needs of effective data access control mechanism.
VII) CONCLUSION
This paper focused on the study of different data access
control techniques i.e CBE, Revocable CP-ABE, ABE with
Verifiable Outsourced Decryption, AnonyControl and
AnonyControl-F, ECCP-CABE scheme. The Existing ABE
with Verifiable Outsourced Decryption scheme is only
focused on data content privacy and access control. But the
proposed CP-ABE with verifiable outsourced decryption
Data owner
256 scheme with user’s Privilege Control method prevents unwanted data access and also user’s identity leakage and
achieves the full anonymity. Thus proposed method address
the user privacy problems in a cloud storage server.
The data access control methods mostly used in Medical
applications, customer record of company, military
information management system. Historical health records etc.
FUTURE SCOPE:
From Observation, the scope and planned to be studied in
future work, the propose method are more suitable for fine
grained Data access Control for Cloud Computing. Also, this
approach will works towards resolving the identified issues of
overheads and user revocation. Hence the future works is to
introduce the efficient user revocation mechanism on top of
proposed user Privilege Control scheme.
REFERENCES
[1] Yan Zhu and Hongxin Hu, “Comparison-Based Encryption for Fine-grained Access Control in Clouds”, ACM Transactions, VOL-NO. 978-1-4503-1091, PP. 105-114, February 2012.
[2] Kan Yang and Xiaohua Jia, “Attribute-based Fine-Grained Access Control with Efficient Revocation in Cloud Storage Systems”, ACM Transaction , VOL-NO.978-1-4503-1767, PP. 523-528, May 2013.
[3] Junzuo Lai and Robert H. Deng, “Attribute-Based Encryption With Verifiable Outsourced Decryption”,
IEEE Transactions on information forensics and security, VOL. 8, NO. 8, PP. 1343-1353, August 2013.
[4] Taeho Jung and Xiang-Yang Li, “Control Cloud Data Access Privilege an Anonymity with Fully Anonymous Attribute-Based Encryption”, IEEE Transactions on information forensics and security , VOL. 10, NO. 1, PP. 190-199, January 2015.
[5] Zhijie Wang and Dijiang Huang, “Efficient Attribute-Based Comparable Data Access Control”,
