Permission Management System for Secure Clouds

8/2/2019 Permission Management System for Secure Clouds

1/3

AbstractCloud computing is an emerging computing para-

digm in which resources of the computing infrastructure are

provided as services over the Internet. As promising as it is, this

paradigm also brings forth many new challenges for data secu-

rity and access control when users outsource sensitive data for

sharing on cloud servers, which are not within the same trusted

domain as data owners. In this paper, we discuss a novel ap-

proach to controlling access to user data in the cloud, Permis-

sion Management System (PMS). User data are encrypted to

maintain confidentiality and permissions are managed via de-

cryption keys using techniques of attribute-based encryption(ABE).

Keywords: PMS, ABE

I. INTRODUCTION

In past three decades, the world of computation has

changed from centralized (client-server not web-based)

to distributed systems and now we are getting back to

the virtual centralization (Cloud Computing). Location

of data and processes makes the difference in the realm

of computation. On one hand, an individual has full

control on data and processes in his/her computer. On

the other hand, we have the cloud computing wherein,

the service and data maintenance is provided by some

vendor which leaves the client/customer unaware of

where the processes are running or where the data is

stored. So, logically speaking, the client has no control

over it.

One of the challenging problems cloud computing

[1] is facing in this context is the security of data in the

cloud in general, access control to the data in the cloud

in specific. Since the physical location of user data in

the cloud is unknown and often the data are distributedacross multiple cloud services, there is a strong need

for a better solution for involving users in the develop-

ment and control of access control policies surrounding

the use of their data.

In this paper we present a novel approach to control-

ling access to user data in the cloud to address the is-

sues. Specifically, providing an environment where

user can set permissions for all data stored on a cloud.

When user uploads data to the cloud he is asked to set

the access control parameters for the data and then

cloud owner monitors the data accordingly. Moreover,user data are encrypted using attribute based encryption

(ABE), therefore remaining confidential, and permis-

sions are managed in the form of decryption key.

The rest of this paper is organized as follows. Sec-

tion 2 discusses about related works. In Section 3, we

present our approach, followed by the discussion on the

design and implementation in Section 4 and section 5

concludes this paper.

II. BACKGROUND AND RELATED WORK

A. Attribute Based Encryption

There has been growing interest in attribute basedencryption (ABE) since first proposed by Sahai et al.

[2] ABE is based on and extended from identity based

encryption (IBE) [3], which is similar to traditional

public-key based cryptography systems, but instead of

using a randomly generated public key, entities use

unique strings or other short identifiers, such as email

addresses, as their public key. For instance, to send an

encrypted email to [email protected], Alice would

encrypt the message using the email address as the

public key. Bob would obtain his corresponding private

key from a Private Key Generator to decrypt the mes-

sage. Therefore, IBE helps negate the use of public keycertificate in PKC-based applications. ABE is a further

extension from this. In ABE, a set of user attributes,

not just user identity, are associated with both cipher

text and decryption key so that the user that can pro-

vide a correct subset of attributes depending on access

policy can decrypt the cipher text using the decryption

key. For instance, to encrypt a confidential data stored

in the company.com intranet and allow it to be de-

crypted only by Account Payable or HR managers in

company.com, Alice would encrypt the data along

with her access control policy expressed as (Account

Payable manager:company.com_HR manag-

er:company.com). Bob, who is an HR manager in

company.com, would obtain his corresponding pri-

vate key from Alice to decrypt the data. Hence, ABE

enables a very flexible and scalable access control sys-

tem. There have been two types of ABE proposed: key-

based ABE (KP-ABE) and cipher text-policy ABE (CP

-ABE). In KP-ABE, access policy is associated with

private key, whereas in CP-ABE, the access policy is

specified in the cipher text [2][3]. Our approach uses

the latter.

III. OUR APPROACH

In this section, we discuss our approach to enabling a

user centric and flexible access control system in cloud

Permission Management System for Secure Clouds

1Ashwini U S, 2Kiran R, 3Iranna N K, 4Kirana K B, 5T. S. Bharath(M. Tech)1,2,3,4,5Computer science and Engineering,Sri Siddhartha Institute of Technology, VTU, Tumkur, India

email: [email protected], [email protected], [email protected],

[email protected],[email protected]

International Journal ofSystems , Algorithms &

ApplicationsIIIIJJJJSSSSAAAA AAAA

Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 1

ICTM 2011|June 8-9,2011|Hyderabad|India


2/3

computing.

Figure 1. Architecture based on our approach

A. Permission Management System

The Permission Management System proposed here

comes as a software package which the cloud owner can

install in his cloud to ensure data owners that their data

is secure. It works as follows:

Cloud service provider installs PMS software.

Whenever data owner uploads data to the cloud

PMS asks him to specify access structure and set

access credentials. PMS encrypts the data and this encrypted data

will be stored on cloud server.

Whenever any user tries to access the data he

needs to specify his attributes.

Based on users attributes PMS locates him in

the access structure and allow/deny the request

accordingly. If the user is allowed PMS provides

him with the decrypted data.

The system is flexible as it allows the owner to specify

different access credentials on same data to different

users based on their access structure.

B. ABE Components

Four fundamental components from the cipher-

policy attribute based encryption (CP-ABE) are needed

for our scheme to realize Permission Management Sys-

tem in cloud computing, which are Setup, Encrypt, Key-

Gen, and Decrypt. In order to describe them, we slightly

modify the notations [4] as follows:

Definition 1. (Access Structure) Let {A1, A2, A3 , ...,

An} be a set of attributes. A collection A _ 2

{A1,A2,A3,...,An} is monotone if8B, C: if B 2 A and

B _ C then C2 A. An accessstructure is a collection A

of non-empty subsets of{A1, A2, A3,..., An}. The sets inA are called the authorized attribute sets, and the sets

not in A are called the unauthorized attributesets.

Having defined the access structure, we discuss the four

components as follows:

Setup component: the setup component initializ-

es a permission management service for a user

by generating the public parameters PK and a

master key MK.

Encrypt component: The encrypt component

encrypts user data in service providers. It takes

as input the public parameters PK, a data M,

and an access structure A. The component will

encrypt M and produce a cipher text CT such

that only a user that possesses a set of attributes

that satisfies the access structure will be able to

decrypt the data.

Key generation component: The key generation

component generates a private key for a re-

quester, taking as input the master key MK and

a set of attributes S that describes the key.

Decrypt component: The decrypt component

decrypts the encrypted data using the public

parameters PK, a cipher text CT, which con-tains an access policy A, and a private key SK.

If the set S of attributes satisfies the access

structure A, then the component will decrypt

the cipher text and return a message M.

IV. DESIGN AND IMPLEMENTATION

Permission Management System is implemented as

software which consists of CPABE logic for data en-

cryption and decryption.

The methods PMS includes are:

PMS::install: This deals with installation of the

software in the cloud and initial configuration. PMS::upload: This method is invoked whenev-

er owner wants to upload data to the cloud. It

takes data, access structure and access creden-

tials as input. Encrypted data is the output. Also

it stores access structure and access credentials

for future reference.

PMS::access : Any user request to access data

on the cloud internally calls this method. It ac-

cepts users attributes as input and checks it with

access structure and access structure associated

with the requested data. If the user has required

permission decrypted data is produces as output.Otherwise request is simply denied.

V. DISCUSSION AND CONCLUSIONS

Permission Management System (PMS) makes life in

the Cloud easier for content owners by providing an

easy and flexible method for access control. Once the

package is installed in the cloud server, each upload and

access will be handled by PMS itself; no need of cloud

service providers instructions. In this paper we dis-

cussed an effective solution data security in cloud envi-

ronment using Attribute Based Encryption (ABE). Wediscussed a security architecture based our approach. In

order to demonstrate its feasibility, we finally presented

the design and implementation.

PERMISSIONMANAGEMENTSYSTEMFORSECURECLOUDSInternational Journal ofSystems , Algorithms &





3/3

REFERENCES[1] B. Hayes, Communications of the ACM, in Cloud computing,

vol. 51, no. 7, 2008, pp. 911.

[2] A. Sahai and B. Waters, Advances

in Cryptology-EUROCRYPT 2005, in Fuzzy identity-based encryp-

tion, 2005, pp. 457473.

[3] D. Boneh and M. Franklin, Identity-based encryption from the

Weil pairing, in Advances in Cryptology-CRYPTO 2001. Springer,

2001, pp. 213229.

[4] J. Bettencourt, A. Sahai, and B. Waters, Ciphertext-policy at-

tributebased encryption, in IEEE Symposium on Security and Priva-

cy, 2007. SP07, 2007, pp. 321334.

PERMISSIONMANAGEMENTSYSTEMFORSECURECLOUDS International Journal ofSystems , Algorithms &




Permission Management System for Secure Clouds

Documents

Transcript of Permission Management System for Secure Clouds