SOFTWARE: ASP.NET | VB.NET | C#.NET | RAZOR MVC 4 ASP.NET | RESTful Web services
People endorse the great power of cloud computing, but cannot fully trust the cloud providers to host privacy-sensitive data, due to the absence of user-to-cloud controllability. To ensure confidentiality, data owners outsource encrypted data instead of plaintexts. To share the encrypted files with other users, Ciphertext-Policy Attribute-based Encryption (CP-ABE) can be utilized to conduct fine-grained and owner-centric access control. But this does not sufficiently become secure against other attacks. Many previous schemes did not grant the cloud provider the capability to verify whether a downloader can decrypt. Therefore, these files should be available to everyone accessible to the cloud storage. A malicious attacker can download thousands of files to launch Economic Denial of Sustainability (EDoS) attacks, which will largely consume the cloud resource. The payer of the cloud service bears the expense. Besides, the cloud provider serves both as the accountant and the payee of resource consumption fee, lacking the transparency to data owners. These concerns should be resolved in real-world public cloud storage. In this paper, we propose a solution to secure encrypted cloud storages from EDoS attacks and provide resource consumption accountability. It uses CP-ABE schemes in a black-box manner and complies with arbitrary access policy of CP-ABE. We present two protocols for different settings, followed by performance and security analysis.
CP-ABE is a public key encryption scheme with fine- grained access control. In CP-ABE, each user has some attributes and data owners encrypt their files with an access policy over attributes.
Users in the system hold their own secret keys associated with their attribute sets. If and only if the user satisfies the access policy, the user can decrypt
Authenticated Encryption with Associated Data (AEAD) is a symmetric-key encryption that provides both confidentiality and integrity
The security and correctness of the two con- structions are the same. But the latter has a benefit in perfor- mance – the CP-ABE encryption and decryption, which rely on heavy pairing, are reduced to one. The two piece of the AEAD-encrypted messages can still be sent in arbitrary order.
The system uses a public-key signature scheme for message integrity. Assumed the secure distribution of public keys, any data recipient can verify the message integrity. For succinct- ness of signatures, we can use ECDSA:
When a readjustment is needed, both the Sink and the sensor calculates the error between the real transmitted measurement and the last prediction that exceeded emax and triggered the transmission.
CLOUD storage has many benefits, such as always-online, pay-as-you-go, and cheap . During these years, more data are outsourced to public cloud for persistent storage, including personal and business documents. It brings a security concern to data owners : the public cloud is not trusted, and the outsourced data should not be leaked to the cloud provider without the permission from data owners. Many storage systems use server-dominated access control, like password-based and certificate-based authentication . They overly trust the cloud provider to protect their sensitive data. The cloud providers and their employees can read any document regardless of data owners’ access poli- cy.
Besides, the cloud provider can exaggerate the resource consumption of the file storage and charge the payers more without providing verifiable records, since we lack a system for verifiable computation of the resource usage.Relying on the existing server-dominated access control is not secure. Data owners who store files on cloud servers still want to control the access on their own hands and keep the data confidential against the cloud provider and malicious users.
we combine the cloud-side access control and the existing data owner-side CP-ABE based access control, to resolve the aforementioned security problems in privacy- preserving cloud storage. Our method can prevent the EDoS attacks by providing the cloud server with the ability to check whether the user is authorized in CP-ABE based scheme, without leaking other information.
For our cloud-side access control, we use CP-ABE encryp- tion/decryption game as challenge-response. While upload an encrypted file, the data owner firstly generates some random challenge plaintexts and the corresponding ciphertexts. The ciphertexts are related to the same access policy with the specific file. For an incoming data user, the cloud server asks him/her to decrypt randomly selected challenge ciphertext. If the user shows a correct result, which means he/she is authorized in CP-ABE, the cloud-side access control allows the file download.
In this paper, we propose a combined the cloud-side and da- ta owner-side access control in encrypted cloud storage, which is resistant to DDoS/EDoS attacks and provides resource con- sumption accounting. Our system supports arbitrary CP-ABE constructions. The construction is secure against malicious data users and a covert cloud provider.
We relax the secu- rity requirement of the cloud provider to covert adversaries, which is a more practical and relaxed notion than that with semi-honest adversaries. To make use of the covert security, we use bloom filter and probabilistic check in the resource consumption accounting to reduce the overhead. Performance analysis shows that the overhead of our construction is small over existing systems.