Permission Management System for Secure Clouds

download Permission Management System for Secure Clouds

of 3

Transcript of Permission Management System for Secure Clouds

  • 8/2/2019 Permission Management System for Secure Clouds

    1/3

    AbstractCloud computing is an emerging computing para-

    digm in which resources of the computing infrastructure are

    provided as services over the Internet. As promising as it is, this

    paradigm also brings forth many new challenges for data secu-

    rity and access control when users outsource sensitive data for

    sharing on cloud servers, which are not within the same trusted

    domain as data owners. In this paper, we discuss a novel ap-

    proach to controlling access to user data in the cloud, Permis-

    sion Management System (PMS). User data are encrypted to

    maintain confidentiality and permissions are managed via de-

    cryption keys using techniques of attribute-based encryption(ABE).

    Keywords: PMS, ABE

    I. INTRODUCTION

    In past three decades, the world of computation has

    changed from centralized (client-server not web-based)

    to distributed systems and now we are getting back to

    the virtual centralization (Cloud Computing). Location

    of data and processes makes the difference in the realm

    of computation. On one hand, an individual has full

    control on data and processes in his/her computer. On

    the other hand, we have the cloud computing wherein,

    the service and data maintenance is provided by some

    vendor which leaves the client/customer unaware of

    where the processes are running or where the data is

    stored. So, logically speaking, the client has no control

    over it.

    One of the challenging problems cloud computing

    [1] is facing in this context is the security of data in the

    cloud in general, access control to the data in the cloud

    in specific. Since the physical location of user data in

    the cloud is unknown and often the data are distributedacross multiple cloud services, there is a strong need

    for a better solution for involving users in the develop-

    ment and control of access control policies surrounding

    the use of their data.

    In this paper we present a novel approach to control-

    ling access to user data in the cloud to address the is-

    sues. Specifically, providing an environment where

    user can set permissions for all data stored on a cloud.

    When user uploads data to the cloud he is asked to set

    the access control parameters for the data and then

    cloud owner monitors the data accordingly. Moreover,user data are encrypted using attribute based encryption

    (ABE), therefore remaining confidential, and permis-

    sions are managed in the form of decryption key.

    The rest of this paper is organized as follows. Sec-

    tion 2 discusses about related works. In Section 3, we

    present our approach, followed by the discussion on the

    design and implementation in Section 4 and section 5

    concludes this paper.

    II. BACKGROUND AND RELATED WORK

    A. Attribute Based Encryption

    There has been growing interest in attribute basedencryption (ABE) since first proposed by Sahai et al.

    [2] ABE is based on and extended from identity based

    encryption (IBE) [3], which is similar to traditional

    public-key based cryptography systems, but instead of

    using a randomly generated public key, entities use

    unique strings or other short identifiers, such as email

    addresses, as their public key. For instance, to send an

    encrypted email to [email protected], Alice would

    encrypt the message using the email address as the

    public key. Bob would obtain his corresponding private

    key from a Private Key Generator to decrypt the mes-

    sage. Therefore, IBE helps negate the use of public keycertificate in PKC-based applications. ABE is a further

    extension from this. In ABE, a set of user attributes,

    not just user identity, are associated with both cipher

    text and decryption key so that the user that can pro-

    vide a correct subset of attributes depending on access

    policy can decrypt the cipher text using the decryption

    key. For instance, to encrypt a confidential data stored

    in the company.com intranet and allow it to be de-

    crypted only by Account Payable or HR managers in

    company.com, Alice would encrypt the data along

    with her access control policy expressed as (Account

    Payable manager:company.com_HR manag-

    er:company.com). Bob, who is an HR manager in

    company.com, would obtain his corresponding pri-

    vate key from Alice to decrypt the data. Hence, ABE

    enables a very flexible and scalable access control sys-

    tem. There have been two types of ABE proposed: key-

    based ABE (KP-ABE) and cipher text-policy ABE (CP

    -ABE). In KP-ABE, access policy is associated with

    private key, whereas in CP-ABE, the access policy is

    specified in the cipher text [2][3]. Our approach uses

    the latter.

    III. OUR APPROACH

    In this section, we discuss our approach to enabling a

    user centric and flexible access control system in cloud

    Permission Management System for Secure Clouds

    1Ashwini U S, 2Kiran R, 3Iranna N K, 4Kirana K B, 5T. S. Bharath(M. Tech)1,2,3,4,5Computer science and Engineering,Sri Siddhartha Institute of Technology, VTU, Tumkur, India

    email: [email protected], [email protected], [email protected],

    [email protected],[email protected]

    International Journal ofSystems , Algorithms &

    ApplicationsIIIIJJJJSSSSAAAA AAAA

    Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 1

    ICTM 2011|June 8-9,2011|Hyderabad|India

  • 8/2/2019 Permission Management System for Secure Clouds

    2/3

    computing.

    Figure 1. Architecture based on our approach

    A. Permission Management System

    The Permission Management System proposed here

    comes as a software package which the cloud owner can

    install in his cloud to ensure data owners that their data

    is secure. It works as follows:

    Cloud service provider installs PMS software.

    Whenever data owner uploads data to the cloud

    PMS asks him to specify access structure and set

    access credentials. PMS encrypts the data and this encrypted data

    will be stored on cloud server.

    Whenever any user tries to access the data he

    needs to specify his attributes.

    Based on users attributes PMS locates him in

    the access structure and allow/deny the request

    accordingly. If the user is allowed PMS provides

    him with the decrypted data.

    The system is flexible as it allows the owner to specify

    different access credentials on same data to different

    users based on their access structure.

    B. ABE Components

    Four fundamental components from the cipher-

    policy attribute based encryption (CP-ABE) are needed

    for our scheme to realize Permission Management Sys-

    tem in cloud computing, which are Setup, Encrypt, Key-

    Gen, and Decrypt. In order to describe them, we slightly

    modify the notations [4] as follows:

    Definition 1. (Access Structure) Let {A1, A2, A3 , ...,

    An} be a set of attributes. A collection A _ 2

    {A1,A2,A3,...,An} is monotone if8B, C: if B 2 A and

    B _ C then C2 A. An accessstructure is a collection A

    of non-empty subsets of{A1, A2, A3,..., An}. The sets inA are called the authorized attribute sets, and the sets

    not in A are called the unauthorized attributesets.

    Having defined the access structure, we discuss the four

    components as follows:

    Setup component: the setup component initializ-

    es a permission management service for a user

    by generating the public parameters PK and a

    master key MK.

    Encrypt component: The encrypt component

    encrypts user data in service providers. It takes

    as input the public parameters PK, a data M,

    and an access structure A. The component will

    encrypt M and produce a cipher text CT such

    that only a user that possesses a set of attributes

    that satisfies the access structure will be able to

    decrypt the data.

    Key generation component: The key generation

    component generates a private key for a re-

    quester, taking as input the master key MK and

    a set of attributes S that describes the key.

    Decrypt component: The decrypt component

    decrypts the encrypted data using the public

    parameters PK, a cipher text CT, which con-tains an access policy A, and a private key SK.

    If the set S of attributes satisfies the access

    structure A, then the component will decrypt

    the cipher text and return a message M.

    IV. DESIGN AND IMPLEMENTATION

    Permission Management System is implemented as

    software which consists of CPABE logic for data en-

    cryption and decryption.

    The methods PMS includes are:

    PMS::install: This deals with installation of the

    software in the cloud and initial configuration. PMS::upload: This method is invoked whenev-

    er owner wants to upload data to the cloud. It

    takes data, access structure and access creden-

    tials as input. Encrypted data is the output. Also

    it stores access structure and access credentials

    for future reference.

    PMS::access : Any user request to access data

    on the cloud internally calls this method. It ac-

    cepts users attributes as input and checks it with

    access structure and access structure associated

    with the requested data. If the user has required

    permission decrypted data is produces as output.Otherwise request is simply denied.

    V. DISCUSSION AND CONCLUSIONS

    Permission Management System (PMS) makes life in

    the Cloud easier for content owners by providing an

    easy and flexible method for access control. Once the

    package is installed in the cloud server, each upload and

    access will be handled by PMS itself; no need of cloud

    service providers instructions. In this paper we dis-

    cussed an effective solution data security in cloud envi-

    ronment using Attribute Based Encryption (ABE). Wediscussed a security architecture based our approach. In

    order to demonstrate its feasibility, we finally presented

    the design and implementation.

    PERMISSIONMANAGEMENTSYSTEMFORSECURECLOUDSInternational Journal ofSystems , Algorithms &

    ApplicationsIIIIJJJJSSSSAAAA AAAA

    Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 2

    ICTM 2011|June 8-9,2011|Hyderabad|India

  • 8/2/2019 Permission Management System for Secure Clouds

    3/3

    REFERENCES[1] B. Hayes, Communications of the ACM, in Cloud computing,

    vol. 51, no. 7, 2008, pp. 911.

    [2] A. Sahai and B. Waters, Advances

    in Cryptology-EUROCRYPT 2005, in Fuzzy identity-based encryp-

    tion, 2005, pp. 457473.

    [3] D. Boneh and M. Franklin, Identity-based encryption from the

    Weil pairing, in Advances in Cryptology-CRYPTO 2001. Springer,

    2001, pp. 213229.

    [4] J. Bettencourt, A. Sahai, and B. Waters, Ciphertext-policy at-

    tributebased encryption, in IEEE Symposium on Security and Priva-

    cy, 2007. SP07, 2007, pp. 321334.

    PERMISSIONMANAGEMENTSYSTEMFORSECURECLOUDS International Journal ofSystems , Algorithms &

    ApplicationsIIIIJJJJSSSSAAAA AAAA

    Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 3

    ICTM 2011|June 8-9,2011|Hyderabad|India