Multi-Owner Data Sharing in Cloud Storage Using Policy Based Encryption

Transcription

1 Multi-Owner Data Sharing in Cloud Storage Using Policy Based Encryption Shani Raj 1, Dr. Varghese Paul 2, Nishana Rahim 3 1,3 Assistant Professor, College of Engineering, Kottarakara, Kerala, India 2 Professor in IT, Cochin University of Science & Technology, Cochin, Kerala, India Abstract Cloud storages are generally hosted by third parties where data can be stored and shared. Cloud storage provides virtualized pools of storage and people buy or lease storage capacity from them. The security of data is major problem when people use commercial cloud services to store their data. To avoid unauthorized access, data should be encrypted before outsourcing. Instead of attribute based encryption, role based policies can be generated and based on that policies encryption can be done. In the case of data with multiple owners, the access control, integrity and revocation are major issues. All the owners must have same access policy and revocation should be done with the permission of all owners. Another major issue is key generation and management. Here we explore a policy based encryption technique where access key generation for user is based on access policies assigned to each user along with the attributes. The data stored in the cloud is encrypted using a key generated based on the access permissions assigned to the data and attributes of the owners who share their data with high security and integrity using policy based encryption technique. Keywords ABE, Access control, Access key, Cloud Storage, Integrity, Policy, Revocation. I. INTRODUCTION Cloud computing is a general term for anything that involves delivering hosted services, scalable services like data sharing, accessing etc., over the web on demand basis. It uses the web and central remote servers to maintain data and applications. Cloud computing allows consumers and businesses to use applications without installation and access their personal files at any computer with web access. This technology allows for much more efficient computing by centralizing storage, memory, processing and bandwidth. Cloud computing is broken down into three segments: "application" "storage" and "connectivity". Each segment serves a different purpose and offers different products for businesses and individuals around the world. Multi-owner information exchange is a model for sharing business data of large organizations, which allows owners to create, manage and control their information/data in cloud. Cloud storage permits a large number of users having different roles and access permissions to share and store their data. In policy based data sharing, each user has an access policy for the system and each file has some file access policy which may differ for different users. In a distributed environment multiple copies of data is there to improve availability. Hence the integrity and access control are major concerns. A cloud system may have many cloud service providers (CSPs) to improve the performance of said system. Based on availability and work load, the system selects a CSP for the client accessing it. Hundreds or thousands of clients may access the system simultaneously; hence the availability is a major problem. It can be improved by CSPs with data replication. The data owners may want to set some restrictions to clients who are trying to access the data. In this scenario, the distributed data should keep all details about the different access control policies set to data. But again the authorized clients should be categorized according to permission; it will be a problem in a distributed system with many clients. This system mainly allows public users and custom users. In the case of public users the policy is same for all and only public files can be accessed by them, it is not a challenging problem. The second category, custom users are somehow a major problem. Custom users are selected users who have special permissions for accessing some files/data. The permissions may be same or different for each custom user. The system must keep track of all the access policies of custom users and provide data/file according to those policies. We are proposing a system which deals multiple owners and multiple policies to provide secured data sharing in cloud. II. RELATED WORK The outsourced data/information is protected using some encryption techniques widely. A brief overview of some of the recent researches is presented below. In Mona [1], a user is able to share data with others in the group without revealing identity privacy to the cloud. 126

2 Additionally, Mona supports efficient user revocation and new user joining. More specially, efficient user revocation can be achieved through a public revocation list without updating the private keys of the remaining users, and new users can directly decrypt files stored in the cloud before their participation. Moreover, the storage overhead and the encryption computation cost are constant. In FADE [2], a secure overlay cloud storage system that achieves fine-grained, policy-based access control and file assured deletion is proposed. It associates outsourced files with file access policies, and assuredly deletes files to make them unrecoverable to anyone upon revocations of file access policies. To achieve such security goals, FADE is built upon a set of cryptographic key operations that are self-maintained by a quorum of key managers that are independent of third-party clouds. In particular, FADE acts as an overlay system that works seamlessly atop today s cloud storage services. In Secured sharing of Personal Health Records [3], to achieve fine-grained and scalable data access control, they suggest attribute based encryption techniques. In this approach they focus on the multiple data owner scenario and divide the users in the PHR system into multiple security domains that greatly reduces the key management complexity for owners and users. A high degree of patient privacy is guaranteed simultaneously by exploiting multiauthority ABE (MA-ABE). The proposed architecture uses some important security services including authentication, encryption and decryption. The same is discussed along with compression in [4]. Key Policy Attribute-Based Encryption (KP-ABE), Proxy Re-Encryption (PRE) and Lazy re-encryption [4] handles many of the security issues. A main issue in the proposed system is distributed auditing. A flexible distributed storage integrity auditing mechanism, utilizing the homomorphic token and distributed erasure-coded data is referred in [5]. The design in [6] allows users to audit the cloud storage with very lightweight communication and computation cost. The auditing result not only ensures strong cloud storage correctness guarantee, but also simultaneously achieves fast data error localization. Considering the cloud data are dynamic in nature, the design [5] further supports secure and efficient dynamic operations on outsourced data, including block modification and deletion. III. ARCHITECTURE We are proposing the architecture with multiple owners and users. The owners of a single data/file may belong to an organization or institution. For example, in a company the confidential data may be handled by only directors and may have more than one director. In such situations the security and integrity of data is challenging. Here the data may have multiple owners, the owners register into system as a group but having individual access keys and passwords. Anyone in the group can store and share the data. The policies of shared files are set by any of the owners and need approval of all the owners. In short, any change in file policy should need the group permission. The file shared may be private, custom or public based on the set policy. Private files can only be accessed by the owners. Highly confidential data must be private and the file policies are set using the confidential features and owners private attributes. File revocation means making file permanently inaccessible for all including owners and it is done by deleting the secured decryption key with permission of all the owners along with the file policy. Custom files are shared to a set of selected users by the owners. For example, the directors of an organization may share some information to the employees. Among the employees, the owners can select some particular persons also. The persons are authorized with a special access key to access the data, the access permissions like read, edit, download etc are fixed by owners and users don t have any role in that. Public files can be accessed by all users registered in the system. A public access policy is set to public files and no specific key needed for users other than their access key to access the public file. Here also the access permissions are set by owners. 127

3 Figure 1: Architecture Other than owners, two kinds of users are in the system, custom users and public users. All users must register in the system with a password and an access key is provided to them. Apart from the access key, the user may get an access policy if he/she is in a custom group. For public users a public policy is available for data/file access. The secured keys are sent to users via and the users who clear all authentication tests are only authorized to access the data/file. A. Access Key Generation Access key is generated for each user who registers in the system. System collects some attributes from user including identity attributes like , user-name etc. Using these attributes and some other features a unique key is generated and from that key, using a pattern function, a six digit code is generated and passed to the user. At the time of login, system verifies this code along with the username and password. Since the system is mainly designed for a particular organization, the users of the system can be categorized according to the norms of organization. 1) Owners: Owners are group users who upload data to cloud for safe storage. Each owner in a group have private login including user-name, password and an access key along with a group key. The group key is same for all members in a group. 2) Public Users: Any user can be a public user and the said procedure is same for all users. No particular policy is there to access the public files, only the file policy is needed. 3) Custom Users: In an organization, many kinds of clients and many types of employees are accessing the information always. So the access permissions are varying and owners can select a category or particular user to assign a particular access policy. Special access keys are generated based on file policy and user category or type. That specific access key and policy is checked before giving access to those files. B. File Policy and Encryption Key File policies are generated for each file based on the confidentiality of the file. The owners may store the file as private, public or custom and may set the permissions as read, edit, download and delete. 128

4 The first category is based on confidentiality and type of information. For example, some data are strictly confidential and only owners can view. Some can be edited by any owner and some can be edited with the knowledge of all owners. Likewise the data for clients can be accessed by them and managed by particular employees. The second thing in policy is the access rights or permissions for users. Here user means all who are accessing the system. The permissions may read, edit, download or delete. By mixing these two factors file policies are generated. For example client-a can read and download File-B as a custom user or any user can read File-C as public user. The most challenging part is generation of encryption key based on these policies. For generating the key, the file policy like private, public and custom is used along with file attributes, attributes of owners and access permissions. Hence the encryption method is a combination of Attribute based Encryption [ABE] and Policy based Encryption. A dynamic pattern function is used to make key, the pattern varies for private, public and custom files. The encryption key breaks and forms n codes and saves in n key managers. The combination code is stored in another location. C. Decryption Before accessing a file, the file policies and user policies are matching. If both match, then according to the access key of user the system finds the permissions allowed for that user and retrieves the combination code. Using the combination code, the key codes are retrieved and combined to make the key. Then decryption is doing with that key. D. File Revocation File revocation means making the file permanently inaccessible. This is done by deleting the file policies and encryption keys. If m codes out of n are deleted the key cannot be reformed and decryption is impossible. When a file is trying to access, first the file policies are checked, if there is no file policy then there itself the file is inaccessible. The system two times ensures the inaccessibility of a file. IV. PERFORMANCE EVALUATION Performance of the system should be evaluated with all the advantages of cloud systems. The throughput and security should reach some reasonable level. The factors evaluated here are storage, cryptographic operation time and file revocation and handling time. A. Storage The storage ensures security and confidentiality based on access keys. The key generated is 16 bit and among the 16 bits, a code of length six is given to the user. The pattern function used for generating the code is different for different kinds of users. Hence the complexity of access key generation is high. When a user enters the system, the system collects some information from the user and based on those, the pattern function is selected. This is the same while login also. Group owners have both private access key and group access key. In both cases the features selected for generating the 16 bit key are different. The challenge is to manage the keys and codes separately and to create a mapping function for them. Here it is done with identity attributes. The storage overhead is related to the extra codes generated for each users, groups and group members other than the keys. B. Cryptographic Operation Time The cryptographic operations include key generation, encryption, key retrieval and decryption. Key generation is time consuming since it has to take the file attributes, owner attributes and file policies. Again the key size depends on the size of the file. The key storage is another issue. Here the key is stored in n key managers. Hence storage overhead is also there. Then encryption time depends on the file size, as file size increases the time also increases. Figure 2: File Uploading [file size Vs time] graph The key retrieval also needs a series of operations like the different authentication checking, the retrieval of combination code, retrieval of key codes from key managers and making the correct key from the key codes. This also takes some reasonable time. Finally the decryption operation is doing with the key and it depends on the file size. 129

5 More specially, efficient file revocation can be achieved through file policy revocation and deletion of some key codes. So users cannot decrypt files stored in the cloud. Moreover, the storage overhead and the encryption computation cost are constant. Extensive analyses show that our proposed scheme satisfies the desired security requirements and guarantees efficiency as well. C. Security Figure 3: File Downloading [file size Vs time] graph The designed system achieves finite levels of security using access policies and file policies. 1) Owner Level: In the owner level the system provides equal privileges to all members of a group. A private access key is available to each owner in a group and a common group access key. Hence the system ensures confidentiality by checking the two keys. The owner enters a six bit key and there is a 16 bit key matching to this. For retrieving that 16 bit matching key, an identity attribute from owner is to be collected. To keep files secured, as mentioned above file policies and a key are generated and allows only right users to access the file with right permission. 2) User Level: In the user level the system provides a user access key using the same method used in case of an owner. The authentication is given by checking all those factors specified earlier. 3) File Level: In the file level the system provides file access policies and encryption key to encrypt the file. The file is stored in encrypted format only. The key is of varying size and the variation depends on the size. Hence the hacker must know the file size to fix the key size. Another advantage is the breaking of key into n key codes. These codes are stored in n different locations and the combination of these locations is different for different keys. This makes the system more secure. V. CONCLUSION In this paper, we design a secure data sharing with policies for dynamic groups of owners in a cloud storage system. In this, a user is able to share data with others in the system as well as a group is also capable of storing and sharing their data. Additionally, this system supports efficient file revocation and policy changing. REFERENCES [1] Xuefeng Liu, Yuqing Zhang, Boyang Wang, and Jingbo Yan, "Mona: Secure Multi-Owner Data Sharing for Dynamic Groups in the Cloud, IEEE Transactions on Parallel and Distributed Systems [2] Yang Tang, Patrick P.C. Lee, John C.S. Lui and Radia Perlman, Secure Overlay Cloud Storage with Access Control and Assured Deletion, IEEE Transactions on Dependable and Secure Computing, Vol. 9, No. 6, November/December [3] Ming Li, Shucheng Yu, Yao Zheng, Kui Ren, and Wenjing Lou, Scalable and Secure Sharing of Personal Health Records in Cloud Computing using Attribute-based Encryption,IEEE Transactions on Parallel and Distributed Systems Vol. 24, Issue No. 1,2013. [4] S Sajithabanu and Dr. E George Prakash Raj, Data Storage Security in Cloud, IJCST Vol. 2, Issue 4, Oct. - Dec [5] Cong Wang, Qian Wang, Kui Ren, Ning Cao and Wenjing Lou, 2012 Toward Secure and Dependable Storage Services in Cloud Computing, IEEE Transaction on Services Computing, VOL 5, Issue 2, April-June. [6] R.Uma Maheswari and M.Chinnadurai,2014 Secured Resource Sharing in Cloud Storage using Policy based Access Control, International Journal of Emerging Technology and Advanced Engineering. [7] Nishana Rahim and K Saravanan,2013 Secured Image sharing and Deletion in the Cloud Storage using Access Policies, International Journal on Computer Science and Engineering.. [8] Dr. Mohammed A. T. AlSudiari & Dr. TGK Vasista, (2012) Cloud Computing and Privacy Regulations: An Exploratory Study on Issues and Implications, Advanced Computing: An International Journal (ACIJ), Vol.3, No.2. [9] Abdul Wahid Khan, Siffat Ullah Khan, Muhammad Ilyas & Muhammad Ilyas Azeem, (2012) A Literature Survey on Data Privacy/ Protection Issues and Challenges in Cloud Computing, IOSR Journal of Computer Engineering (IOSRJCE) ISSN: Volume 1, Issue 3, PP [10] Mell P. & Grance T. "NIST Definition of Cloud Computing V15", (2009) [11] Zhang Xin, Lai Song-qing & Liu Nai-wen, (2012) Research on cloud computing data security model based on multi-dimension, Information Technology in Medicine and Education (ITME), 2012 International Symposium, VOL. 2, Page(s): [12] Kulkarni G; Dept. of Electron. & Telecommun., Marathwada Mitra Mandal's Polytech., Pune, India, Gambhir J, Patil T & Dongare A, (2012) A security aspects in cloud computing, Software Engineering and Service Science (ICSESS), 2012 IEEE 3rd International Conference. [13] D. Boneh & M.K. Franklin, (2001) Identity-Based Encryption from the Weil Pairing, Proc. Int l Cryptology Conf. Advances in Cryptology, pp

6 [14] J. Bethencourt, A. Sahai & B. Waters, (2006) Ciphertext-Policy Attribute-Based Encryption, Proc. IEEE Symp. Security and Privacy. [15] Aderemi A. Atayero & Oluwaseyi Feyisetan, (2011) Security Issues in Cloud Computing: The Potentials of Homomorphic Encryption, Journal of Emerging Trends in Computing and Information Sciences, VOL. 2, NO. 10, ISSN [16] Siani Pearson, Yun Shen & Miranda Mowbray, (2009) A Privacy Manager for Cloud Computing, HP Labs, Long Down Avenue, Stoke Gifford, Bristol BS34 8QZ, UK, pp [17] Siani Pearson & Andrew Charlesworth, (2009) Accountability as a Way Forward for Privacy Protection in the Cloud, HP Laboratories, HPL [18] R. Corin, S. Etalle, J. den Hartog, G. Lenzini & I. Staicu, (2005) A Logic for Auditing Accountability in Decentralized Systems, Proc. IFIP TC1 WG1.7 Workshop Formal Aspects in Security and Trust, pp [19] Rodrigo N. Calheiros, Rajiv Ranjan, César A. F. De Rose & Rajkumar Buyya, CloudSim: A Novel Framework for Modeling and Simulation of Cloud Computing Infrastructures and Services. [20] A. Boldyreva, V. Goyal & V. Kumar, (2008) Identity-Based Encryption with Efficient Revocation, Proc. 15th ACM Conf. Computer and Comm. Security (CCS). [21] V. Goyal, O. Pandey, A. Sahai, & B. Waters, (2006) Attribute- Based Encryption for Fine-Grained Access Control of Encrypted Data, Proc. 13th ACM Conf. Computer and Comm. Security (CCS). [22] A. Shamir, (1979) How to Share a Secret, Comm. ACM, vol. 22, no. 11, pp [23] S. Kamara & K. Lauter, (2010) Cryptographic Cloud Storage, Proc.14th Int l Conf. Financial Cryptography and Data Security. [24] S. Yu, C. Wang, K. Ren & W. Lou, (2010) Attribute Based Data Sharing with Attribute Revocation, Proc. Fifth ACM Symp. Information, Computer and Comm. Security (ASIACCS). [25] M. Pirretti, P. Traynor, P. McDaniel, & B. Waters, (2006) Secure Attribute-Based Systems, Proc. 13th ACM Conf. Computer and Comm. Security (CCS). 131