Permission Management System for Secure Clouds
-
Upload
editorijsaa -
Category
Documents
-
view
216 -
download
0
Transcript of Permission Management System for Secure Clouds
-
8/2/2019 Permission Management System for Secure Clouds
1/3
AbstractCloud computing is an emerging computing para-
digm in which resources of the computing infrastructure are
provided as services over the Internet. As promising as it is, this
paradigm also brings forth many new challenges for data secu-
rity and access control when users outsource sensitive data for
sharing on cloud servers, which are not within the same trusted
domain as data owners. In this paper, we discuss a novel ap-
proach to controlling access to user data in the cloud, Permis-
sion Management System (PMS). User data are encrypted to
maintain confidentiality and permissions are managed via de-
cryption keys using techniques of attribute-based encryption(ABE).
Keywords: PMS, ABE
I. INTRODUCTION
In past three decades, the world of computation has
changed from centralized (client-server not web-based)
to distributed systems and now we are getting back to
the virtual centralization (Cloud Computing). Location
of data and processes makes the difference in the realm
of computation. On one hand, an individual has full
control on data and processes in his/her computer. On
the other hand, we have the cloud computing wherein,
the service and data maintenance is provided by some
vendor which leaves the client/customer unaware of
where the processes are running or where the data is
stored. So, logically speaking, the client has no control
over it.
One of the challenging problems cloud computing
[1] is facing in this context is the security of data in the
cloud in general, access control to the data in the cloud
in specific. Since the physical location of user data in
the cloud is unknown and often the data are distributedacross multiple cloud services, there is a strong need
for a better solution for involving users in the develop-
ment and control of access control policies surrounding
the use of their data.
In this paper we present a novel approach to control-
ling access to user data in the cloud to address the is-
sues. Specifically, providing an environment where
user can set permissions for all data stored on a cloud.
When user uploads data to the cloud he is asked to set
the access control parameters for the data and then
cloud owner monitors the data accordingly. Moreover,user data are encrypted using attribute based encryption
(ABE), therefore remaining confidential, and permis-
sions are managed in the form of decryption key.
The rest of this paper is organized as follows. Sec-
tion 2 discusses about related works. In Section 3, we
present our approach, followed by the discussion on the
design and implementation in Section 4 and section 5
concludes this paper.
II. BACKGROUND AND RELATED WORK
A. Attribute Based Encryption
There has been growing interest in attribute basedencryption (ABE) since first proposed by Sahai et al.
[2] ABE is based on and extended from identity based
encryption (IBE) [3], which is similar to traditional
public-key based cryptography systems, but instead of
using a randomly generated public key, entities use
unique strings or other short identifiers, such as email
addresses, as their public key. For instance, to send an
encrypted email to [email protected], Alice would
encrypt the message using the email address as the
public key. Bob would obtain his corresponding private
key from a Private Key Generator to decrypt the mes-
sage. Therefore, IBE helps negate the use of public keycertificate in PKC-based applications. ABE is a further
extension from this. In ABE, a set of user attributes,
not just user identity, are associated with both cipher
text and decryption key so that the user that can pro-
vide a correct subset of attributes depending on access
policy can decrypt the cipher text using the decryption
key. For instance, to encrypt a confidential data stored
in the company.com intranet and allow it to be de-
crypted only by Account Payable or HR managers in
company.com, Alice would encrypt the data along
with her access control policy expressed as (Account
Payable manager:company.com_HR manag-
er:company.com). Bob, who is an HR manager in
company.com, would obtain his corresponding pri-
vate key from Alice to decrypt the data. Hence, ABE
enables a very flexible and scalable access control sys-
tem. There have been two types of ABE proposed: key-
based ABE (KP-ABE) and cipher text-policy ABE (CP
-ABE). In KP-ABE, access policy is associated with
private key, whereas in CP-ABE, the access policy is
specified in the cipher text [2][3]. Our approach uses
the latter.
III. OUR APPROACH
In this section, we discuss our approach to enabling a
user centric and flexible access control system in cloud
Permission Management System for Secure Clouds
1Ashwini U S, 2Kiran R, 3Iranna N K, 4Kirana K B, 5T. S. Bharath(M. Tech)1,2,3,4,5Computer science and Engineering,Sri Siddhartha Institute of Technology, VTU, Tumkur, India
email: [email protected], [email protected], [email protected],
[email protected],[email protected]
International Journal ofSystems , Algorithms &
ApplicationsIIIIJJJJSSSSAAAA AAAA
Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 1
ICTM 2011|June 8-9,2011|Hyderabad|India
-
8/2/2019 Permission Management System for Secure Clouds
2/3
computing.
Figure 1. Architecture based on our approach
A. Permission Management System
The Permission Management System proposed here
comes as a software package which the cloud owner can
install in his cloud to ensure data owners that their data
is secure. It works as follows:
Cloud service provider installs PMS software.
Whenever data owner uploads data to the cloud
PMS asks him to specify access structure and set
access credentials. PMS encrypts the data and this encrypted data
will be stored on cloud server.
Whenever any user tries to access the data he
needs to specify his attributes.
Based on users attributes PMS locates him in
the access structure and allow/deny the request
accordingly. If the user is allowed PMS provides
him with the decrypted data.
The system is flexible as it allows the owner to specify
different access credentials on same data to different
users based on their access structure.
B. ABE Components
Four fundamental components from the cipher-
policy attribute based encryption (CP-ABE) are needed
for our scheme to realize Permission Management Sys-
tem in cloud computing, which are Setup, Encrypt, Key-
Gen, and Decrypt. In order to describe them, we slightly
modify the notations [4] as follows:
Definition 1. (Access Structure) Let {A1, A2, A3 , ...,
An} be a set of attributes. A collection A _ 2
{A1,A2,A3,...,An} is monotone if8B, C: if B 2 A and
B _ C then C2 A. An accessstructure is a collection A
of non-empty subsets of{A1, A2, A3,..., An}. The sets inA are called the authorized attribute sets, and the sets
not in A are called the unauthorized attributesets.
Having defined the access structure, we discuss the four
components as follows:
Setup component: the setup component initializ-
es a permission management service for a user
by generating the public parameters PK and a
master key MK.
Encrypt component: The encrypt component
encrypts user data in service providers. It takes
as input the public parameters PK, a data M,
and an access structure A. The component will
encrypt M and produce a cipher text CT such
that only a user that possesses a set of attributes
that satisfies the access structure will be able to
decrypt the data.
Key generation component: The key generation
component generates a private key for a re-
quester, taking as input the master key MK and
a set of attributes S that describes the key.
Decrypt component: The decrypt component
decrypts the encrypted data using the public
parameters PK, a cipher text CT, which con-tains an access policy A, and a private key SK.
If the set S of attributes satisfies the access
structure A, then the component will decrypt
the cipher text and return a message M.
IV. DESIGN AND IMPLEMENTATION
Permission Management System is implemented as
software which consists of CPABE logic for data en-
cryption and decryption.
The methods PMS includes are:
PMS::install: This deals with installation of the
software in the cloud and initial configuration. PMS::upload: This method is invoked whenev-
er owner wants to upload data to the cloud. It
takes data, access structure and access creden-
tials as input. Encrypted data is the output. Also
it stores access structure and access credentials
for future reference.
PMS::access : Any user request to access data
on the cloud internally calls this method. It ac-
cepts users attributes as input and checks it with
access structure and access structure associated
with the requested data. If the user has required
permission decrypted data is produces as output.Otherwise request is simply denied.
V. DISCUSSION AND CONCLUSIONS
Permission Management System (PMS) makes life in
the Cloud easier for content owners by providing an
easy and flexible method for access control. Once the
package is installed in the cloud server, each upload and
access will be handled by PMS itself; no need of cloud
service providers instructions. In this paper we dis-
cussed an effective solution data security in cloud envi-
ronment using Attribute Based Encryption (ABE). Wediscussed a security architecture based our approach. In
order to demonstrate its feasibility, we finally presented
the design and implementation.
PERMISSIONMANAGEMENTSYSTEMFORSECURECLOUDSInternational Journal ofSystems , Algorithms &
ApplicationsIIIIJJJJSSSSAAAA AAAA
Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 2
ICTM 2011|June 8-9,2011|Hyderabad|India
-
8/2/2019 Permission Management System for Secure Clouds
3/3
REFERENCES[1] B. Hayes, Communications of the ACM, in Cloud computing,
vol. 51, no. 7, 2008, pp. 911.
[2] A. Sahai and B. Waters, Advances
in Cryptology-EUROCRYPT 2005, in Fuzzy identity-based encryp-
tion, 2005, pp. 457473.
[3] D. Boneh and M. Franklin, Identity-based encryption from the
Weil pairing, in Advances in Cryptology-CRYPTO 2001. Springer,
2001, pp. 213229.
[4] J. Bettencourt, A. Sahai, and B. Waters, Ciphertext-policy at-
tributebased encryption, in IEEE Symposium on Security and Priva-
cy, 2007. SP07, 2007, pp. 321334.
PERMISSIONMANAGEMENTSYSTEMFORSECURECLOUDS International Journal ofSystems , Algorithms &
ApplicationsIIIIJJJJSSSSAAAA AAAA
Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 3
ICTM 2011|June 8-9,2011|Hyderabad|India