Role Based Encryption with Efficient Access Control in Cloud Storage

Role Based Encryption with Efficient Access Control in Cloud Storage G. V. Bandewar 1, R. H. Borhade 2 1 Department of Information Technology, Sinhgad Technical Education Society s SKNCOE, Pune, India 2 Professor, Department of Information Technology, Sinhgad Technical Education Society s SKNCOE, Pune, India Abstract: Cloud is most powerful paradigm for users to provide on demand services. Cloud is a platform which is responsible for providing many resources to the users. Many users are now migrated towards cloud from the desktop computer because it helps in providing tremendous amount of storage to store user s data on it and they can access their data from anywhere. Many users lost their control when they access their data from the cloud. In this case, users may lose their data, many attacks may occur. So in that case it is necessary to provide data access control mechanism called Role Based Encryption (RBE) using Role Based Access Control Policies (RBAC). It is able to provide access control over the data. This RBE scheme provides data access based on the roles of the users. Roles are defined according to membership of that user. So that, user having highest role membership parameters can access data and so on. Keywords: Access control, cloud computing, data storage, role- based access control policies 1. Introduction Cloud is receiving a lot of attention from academic and industrial worlds. In cloud computing users can outsource their data to the server called as cloud using internet and frees from the difficulties like maintaining data storage. Cloud provides basically three types of services they are Platform as a service (Paas), Software as a service (SaaS), and Infrastructure as a service (IaaS) [1]. Huge amount of information will be stored on the cloud it may also contain some sensitive information like personal records, health records, user-id or password, some important documents and so on. Thus, it is necessary to provide secure access control while users accessing data from the cloud. There are different types of infrastructures are associated with cloud. A public cloud is that which is publically available for users and which has no restrictions. A private cloud is a cloud which is controlled by single authority or any organization. A hybrid cloud is a combination of both the public and private cloud in which all sensitive information is stored in a private cloud and all other encrypted information is stored in the public cloud [1]. There are three types of access controls: User based access control, Attribute based access control and role based access control. In role based access control, users are classified according to their role. Data can access from the cloud if they have valid role. For example only faculty members should access data related to mark sheet of the student not the students. Data security and data privacy are also very important concerns. Thus, data often encode the sensitive information and should be protected from many organizational policies. In this encryption scheme is very useful. Encryption is major technique to provide security to the cloud data. Only encryption alone is not efficient alone with this some access control policies should be there to provide data privacy also. In this paper issue of secure data storage is addressed. To allow users to control access to their data some access control policies are required. In role based access control model, roles are generated for access permission and users are allotted to appropriate role. Access permissions are based on qualified role not on individual users. To protect the privacy of data admin/data owner can employ cryptographic techniques. Main contribution: 1) A new RBE scheme with access control policies. 2) A practical implementation of a proposed RBE system with architecture description. 3) Analysis of results in terms of encryption and decryption time. This paper is organized as follow: In Section 2 existing work is describe in detail. Section 3 introduces proposed work. Section 4 gives comparison between proposed and existing system. Section 5 gives Implementation details. Section 6 gives results and discussion. Section 7 concludes the paper. 2. Existing System 2.1 RBE (Role Based Encryption) scheme with RBAC Policies In RBE with RBAC Policies, hybrid cloud concept is used with RBAC model. It will helpful only when the cloud is trusted. Users with appropriate role can only access the part of data from the cloud. RBE system is based on position of a user within an organization. The scheme is useful for trustworthy cloud [1]. 2.2 BGKM (Broad group Key management) In BGKM (Broadcast Group Key Management) the user can decrypt data if and only if their identity attribute satisfy the content provider s policies. The main idea of this scheme is to give some secrets to the users based on their identity attributes and later allow them to derive actual symmetric Paper ID: NOV161189 560

keys based on their secrets and some public information so that security will be more. In simple ABE (Attribute Based Encryption), users only authorized attributes are handle accessing data from the cloud. Security is not provided in traditional ABE [2]. 2.3 IBBE (Identity - Based Broadcast Encryption) In IBBE scheme message broadcasting is used. This scheme first encrypts the message and after that broadcasts it to multiple users. Broadcaster is responsible for broadcasting messages. After this users use their private key to decrypt and view the data. Key encapsulation mechanism is used here [3]. 2.4 HBASE (Hierarchical Attribute set based encryption) HASBE employs multiple value assignments for access expiration time to deal with user revocation more efficient than existing schemes. A Hierarchical Attribute-Set-Based Encryption (HASBE) extends cipher-text-policy attribute-setbased encryption (ASBE) with a hierarchical structure of users. This system achieves greater scalability and flexibility in terms of access control. User revocation can be done more efficiently. ASBE is an extended version of CP-ABE that organizes user attributes into a recursive set structure. ASBE scheme is used for creating hierarchical structure. HASBE is applied for hierarchical user grant; data file creation, file access, user revocation, and file deletion[4]. 2.5 CACH (Content Access Control in Hierarchy) CACH scheme includes Independent and dependent key approaches. For data access, there is no need of key with which it is encrypted. Users can use their own key with some public parameters. But in independent key approach, user must have the copy of that key with which data is encrypted. But these are complex techniques [5]. 2.6 Cipher text policy attribute based encryption Some of the most challenging issues in data outsourcing scenario are the enforcement of authorization policies and the support of policy updates. Cipher-text-policy attribute-based encryption is a cryptographic solution to these types of issues for enforcing access control policies defined by a data owner on outsourced data. This scheme is of dual encryption exploits the combined features of the cipher-text policy attribute-based encryption and group key management algorithm. This system is scalable for securing outsourced data. This system helps in resolving the stateless problem that is many users may miss many key update messages so that they cannot sometimes keep their key states up-to-date [6]. Table 1: Literature Survey Sr. Existing Method Advantages Disadvantages no 1 Cipher text-policy attribute-based encryption -It allows efficient revocation mechanism. -Scalable for securing -It is not flexible. -Better Authentication is not provided. outsourced data -Resolves the stateless problem Paper ID: NOV161189 561 2 BGKM (Broadcast Group Key Management) 3 RBE(Role-based encryption) 4 HASBE (Hierarchical Attribute Set Based Encryption) 5 ABE (Attribute Based Encryption) scheme 6 KP-ABE(Key Policy Attribute Based Encryption) 7 RBCD (Role Based Cascaded Delegation) 8 RBE using RBAC model - Revocation can be done efficiently. -Requires minimum computation cost and space -Constant size ciphertext. -Constant size keys in single & multiple roles. -Supports user revocation. -Secure access. -Secure access is provided. -Improved performance and efficiency as well. -Constant size ciphertext and keys. -User revocation does not affect on other roles or users. -There is no need of re-encryption after user revocation. 2.7 RBCD (Role Based Cascaded delegation) -It cannot trace misleading behavior. -User revocation affects on others. -Need of Reencryption after user revocation. -It is not flexible. -key size is not constant. -User revocation affects on other users and roles. - User revocation may affect on others. -Does not support efficient user revocation. - Does not support secure information sharing. -It can not identify the source of data -Data searches are not secure -This scheme does not work for untrusted cloud. RBCD (Role Based Cascaded Delegation) system supports simple and efficient cross-domain authority. In this system, delegated privileges are issued to a role of a particular user rather than to that user. In this, role members are responsible to create delegations based on the need of collaboration. In a traditional system, many numbers of signatures required verifying the delegation chain but in RBCD, only one aggregation signature is needed to verify delegation so it will improve performance and efficiency as well. It shows some issues like efficient user revocation and security. Central authority is not available there. So that, it also shows the problem of secure information sharing [7]. 2.8 RBE (Role Based Encryption) This scheme is applied to public cloud. In this data access is based on position of that user in the organization. In this if multiple users are present in single role then any user can be added or removed from that role at any time [8].

2.9 IBSC (Identity-Based Signcryption) International Journal of Science and Research (IJSR) This scheme is proposed for efficiency purpose. Bilinear mapping are done in this scheme. In this IBS (ID Based Signature) is proposed. The IBS mechanism is faster at a verification process [9]. 2.10 HIDE (Hierarchical ID-Based Encryption) This HIDE scheme is helpful in reducing cipher text expansion. It distributes the workload by transmitting keys. Authentication and key transmission is done locally. It also helps in damage control [10]. 2.11 KP-ABE(Key Policy Attribute Based Encryption) User is the entity who wishes to access their data from the cloud. Upon successful authentication of user one secret is given to the user. After receiving the key, authorized user is then able to decrypt that data with the help of that secret key. In this scheme, admin performs various tasks. Private cloud is that which contain user s identity related information along with role parameters of that user. Information in the private cloud is sensitive information. So, it will not be accessed by any external party because the private cloud only accessed by those who are within the organization only. Unlike private cloud, public cloud is globally accessible. It exists outside the infrastructure of the organization. Any unauthorized party is also able to access the data from the cloud. In KP-ABE (Key Policy Attribute Based Encryption). In this, each cipher-text is labeled as encryptor with a set of attributes. And the private key is associated with the type of cipher-text that the key can decrypt. This method uses a tree access structure in which leaves are associated with attributes. A user can decrypt the cipher-text only when attribute associated with cipher-text satisfies key access structure. This can provide delegation mechanism [11]. 3. RBE with Twofish system Many RBE schemes were implemented earlier. All are very useful, but they don t provide better security in case if cloud is un-trusted. The new RBE mechanism will reduce this drawback. Admin is responsible for outsource data on the cloud. Admin is also responsible for giving access to the part of data to the authorized users only. Admin will upload encrypted data with attached policies for the purpose of better access control. 4. Comparison between RBE and RBE using SHA-512 In previous RBE system, authentication of a user is provided that is not so efficient and whole concentration is given on securing access control only. It is necessary to provide better authentication to increase access control. Like this, data privacy is also necessary. In this new RBE scheme, data integrity is verified. When admin or data owner outsources his data to the cloud, while uploading one hash code will be generated and the key to decrypt that data is transferred to the authorized user. At the user side, when user download the data from the cloud, another hash code will be generated and if both hash codes are same then data is integral. In this case, data is not modified and it is safe. Message will be send to the user if any unauthorized modifications are made. Thus, this new RBE system is more secure than existing systems. RBE Algorithm: 1. Identify Nodes: N is main set of each user N= {A, AU} Ad - Admin AU- Authorized User From this Set of Nodes one Node behaves as server node. Figure 1: Access Control model Note: Admin can perform all the tasks of data owner this will helps in improving efficiency. Admin will manage the roles of users. Role is based on parameters of user membership, and those parameters are stored in the private cloud. If admin wants to update user membership, then he can update it in the cloud. 2. Upload File: AU= { ENC, FN, POL} FN- File name ENC - in Encrypted Format Ad- attaches policies to the files 3. Managing Role: Ad = {Mk, IDr} Ad Manages the role based upon IDr (Identity of that Role). Admin is responsible for generating and computing parameters for the users. Role parameters define the position of a user in the role hierarchy. Admin is allowed to update parameters in the private cloud if necessary. 4. Sending Encryption Key to authorized user: AU= {AU1EK, AU2EK, AU3EK.} Ad Outsource the encrypted data with attached policies to the cloud. Paper ID: NOV161189 562

Checks role parameters of that user belong with his membership to give access to that user. Gives decryption key with the access permission to that user. Here each Authorized user receives one Encryption Key to Decrypt the File. 5. Authorized User Duty: AU= {UP, DL, MOD} Authorized user may Download (DL) upload (UP) or modify (MOD) the file. This paper proposes RBE scheme that applied with the help of SHA-512(Secure Hash Algorithm) with the features combination of AES and TWO-Fish algorithm. For generating hash code on the sender side and receiver side SHA-512 algorithm is used. The method is simple. In the proposed system, when owner/admin uploads the data on the cloud, admin must attach policies regarding users to it, and also he has to encrypt that information before outsourcing to the cloud. For the hash generation at encryption side and verification at decryption side, SHA-512 algorithm is used. Any authorized user wants to access data from the cloud or want to modify his data then he makes a request to the owner/admin. Owner first authenticates the user and checks the membership of a user within an organization and then gives appropriate access to that user. This concept will help in controlling access from the cloud that result in secure searches. New RBE mechanism helps in providing better authenticity. If any unauthorized user will access data from the cloud, then this will be avoided in new RBE system by giving associated decryption key to the authenticated user so unauthorized access will be reduced even it also helps in reducing misuse of data. This scheme gives complete focus on access control and data integrity. 5. Implementation Above architecture of secure data storage is implemented in java and the services are hosted on apache tomcat server. It is an open source web server and servlet container. The cloud uses SQL database. The client side is in java language which can be run in any web browser. For database connectivity JDBC-ODBC drivers are used. Proposed system is implemented on Amazon Elastic Compute Cloud (Amazon EC2). For admin/data owner instances are created on Amazon. For implementation windows free tier is used. 6. Result and Discussion Experimental analysis of proposed system is given in this section. Figure 3: Time for Encryption In above figure 3, result shows the time for file encryption between proposed and existing system. It shows that existing system requires more time than proposed system. Figure 4: Time for Decryption In above figure 4, result shows the time for file decryption between proposed and existing system. It shows that existing system requires more time than proposed system. 7. Conclusion In existing systems, some limitations are there like it does not provide data integrity with data privacy. In proposed system, access can be controlled using Role Based Encryption algorithm with the use of access control policies. In existing system, time required to encrypt and decrypt the file is more as compared to proposed system. Thus, data access can be controlled using RBE algorithm. 8. Acknowledgement I would like to thank my guide Prof. R. H. Borhade for his exemplary guidance and constant encouragement throughout the duration of the paper. His valuable suggestions were of immense help throughout this paper. References [1] L. Zhou, V. Varadharajan, and M. Hitchens, Achieving Secure Role- Based Access Control on Encrypted Data in Cloud Storage, IEEE TRANSACTIONS ON INFORMATIONFORENSICS AND SECURITY, VOL. 8, NO. 12, DECEMBER 2013. [2] M. Nabeel, N. Shang, E. Bertino, Privacy Preserving Policy-Based Content Sharing in Public Clouds, IEEE Transactions On Knowledge And Data Engineering, Vol. 25, No. 11, November 2013. Paper ID: NOV161189 563

[3] Cecile Delerablee, Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys, ASIACRYPT 2007, LNCS 4833, pp. 200 215, 2007. [4] Z. Wan, J. Liu, and Robert H. Deng, HASBE: A Hierarchical Attribute-Based Solution for Flexible and Scalable Access Control in Cloud Computing, IEEE Transactions On Information Forensics And Security, Vol. 7, No. 2, April 2012. [5] H. R. Hassen, A. Bouabdallah, H. Bettahar, and Y. Challal, Key management for content access control in a hierarchy, Comput. Netw., vol. 51, no. 11, pp. 3197 3219, 2007. [6] J. Hur and D. Kun Noh, Attribute-Based Access Control with Efficient Revocation in Data outsourcing Systems, IEEE Transactions On Parallel And Distributed Systems, Vol. 22, No. 7, July 2011. [7] R. Tamassia, Fellow, W. H. Winsborough, Independently Verifiable Decentralized Role-Based Delegation, IEEE Transactions On Systems, Man, And Cybernetics Part A: Systems And Humans, Vol. 40, No. 6, November 2010. [8] L. Zhou, V. Varadharajan, and M. Hitchens, Enforcing role-based access control for secure data storage in the cloud, Comput. J., vol. 54, no. 13, pp. 1675 1687, Oct. 2011. [9] P. S. L. M. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater, Efficient and provably secure identity based signatures andsigncryption from bilinear maps, in ASIACRYPT (Lecture Notes in Computer Science), vol. 3788. New York, NY, USA: Springer-Verlag, Dec. 2005, pp. 515 532. [10] C. Gentry and A. Silverberg, Hierarchical ID-based cryptography, in ASIACRYPT (Lecture Notes in Computer Science), vol. 2501. New York, NY, USA: Springer-Verlag, 2002, pp. 548 566. [11] V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-based encryption for fine-grained access control of encrypted data, in Proc. ACM Conf. Comput. Commun. Sec., Oct./Nov. 2006, pp. 89 98. Paper ID: NOV161189 564