Cloud computing is an emerging computing paradigm that enables users to store their data into a cloud server to enjoy scalable and on-demand services. Nevertheless, it also brings many security issues since cloud service providers (CSPs) are not in the same trusted domain as users. To protect data privacy against untrusted CSPs, existing solutions apply cryptographic methods (e.g., encryption mechanisms) and pro- vide decryption keys only to authorized users. However, sharing cloud data among authorized users at a fine-grained level is still a challenging issue, especially when dealing with dynamic user groups. In this paper, we propose a secure and efficient fine- grained access control and data sharing scheme for dynamic user groups by (1) defining and enforcing access policies based on the attributes of the data; (2) permitting key generation center (KGC) to efficiently update user credentials for dynamic user groups; and (3) allowing some expensive computation tasks to be performed by untrusted CSPs without requiring any delegation key. Specifically, we first design an efficient revocable attribute- based encryption (RABE) scheme with the property of ciphertext delegation by exploiting and uniquely combining techniques of identity-based encryption (IBE), Attribute-based Encryption (ABE), subset-cover framework and ciphertext encoding mech- anism.
The CLIENT (e.g., David) first decides the users (e.g., Alice and Bob) who can share the data. Then, David encrypts the data under the identities Alice and Bob, and uploads the ciphertext of the shared data to the cloud server. By delegating the generation of re-encryption key to the key authority, the ciphertext size of their scheme also achieves constant. However, to this end, the key authority has to maintain a data table for each user to store the user�s secret key for all time period, which brings storage cost for key authority.
A cloud service provider has huge storage space, computation resource and shared service to provide the clients. It is responsible for controlling the data storage in outside users� access, and provides the corresponding contents. Public Cloud Server (PCS) is an entity, which is managed by cloud service provider, has significant storage space and computation resource to maintain the client�s data. If some challenged blocks have been modified or deleted, the malicious PCS cannot generate a valid remote data integrity proof.
Key Generation Center (KGC) is an entity, when receiving an identity; it generates the private key which corresponds to the received identity.
In this module, either Alice or Bob wants to get the shared data, she or he can download and decrypt the corresponding ciphertext. However, for an unauthorized user and the cloud server, the plaintext of the shared data is not available. In some cases, e.g., Alice�s authorization gets expired, David can download the ciphertext of the shared data, and then decrypt-then-re-encrypt the shared data such that Alice is prevented from accessing the plaintext of the shared data, and then upload the re-encrypted data to the cloud server again.
One of the most fundamental services offered by CSPs is data storage. Despite of the benefits provided by cloud storage, it is facing many challenges that, if not well resolved, may impede its fast growth. Consider a practical application that a company allows its staff or departments to store and share data via the cloud. By utilizing the cloud, the company can be completely released from the local data storage and maintenance burden. However, it also incurs a major security threat towards the data confidentiality. Specifically, the CSPs are not fully trusted by users while the data files stored in the cloud may be sensitive and confidential. To address this issue, a basic solution is to encrypt data, and then uploads the encrypted data into the cloud.
However, the traditional encryption mechanisms are not efficient or flexible for data sharing in the cloud. In order to achieve optimal usage of storage resources, it is desirable to use advanced encryp- tion mechanisms allowing the data to be shared at a fine- grained level. One of the promising tools for achieving fine- grained access control and sharing of encrypted data is to use attribute-based encryption (ABE). Nevertheless, it is not straightforward to directly apply ABE in real applications due to various practicality concerns.
we present a new solution for enabling attribute-based access control for dynamic user groups in cloud storage systems. Specifically, we present a new RABE scheme that allows the cloud storage to update ciphertexts for handling revocation without any delegated key and at the same time achieves high efficiency. The high cost of Sahai et al.�s scheme is mainly due to the use of two ABE components for handling the attributes and the time component.
Therefore, our idea is to replace the ABE for handling the time component by a more efficient primitive. One difficulty of realizing this idea is that we need a new access control mechanism for the time component to efficiently handle revocation, and the other difficulty is that we need to build a primitive that supports ciphertext update and can be integrated with the new time control mechanism.
Revocable attribute-based encryption (RABE) supporting ciphertext delegation is a useful primitive for enabling secure data sharing via a third-party storage service provider such as cloud storage. In this paper, we revisited the state-of-the-art RABE scheme supporting ciphertext delegation and proposed a new construction paradigm that gives more efficient schemes compared with the previous solution.
We provided formal security proofs for our proposed schemes and performed experiments to demonstrate that our new schemes are indeed more efficient than the previous solution. We also presented a fine-grained access control and data sharing system for on- demand services based on the proposed RABE scheme.