=Paper=
{{Paper
|id=Vol-1580/17
|storemode=property
|title=Improving Data Sharing Security in Cloud Computing
|pdfUrl=https://ceur-ws.org/Vol-1580/id17.pdf
|volume=Vol-1580
|authors=Ibtissam Ennajjar,Youness Tabii,Abdelhamid Benkaddour
|dblpUrl=https://dblp.org/rec/conf/bdca/EnnajjarTB15
}}
==Improving Data Sharing Security in Cloud Computing==
https://ceur-ws.org/Vol-1580/id17.pdf
Proceedings of the International Conference on Big Data, Cloud and Applications
Tetuan, Morocco, May 25 - 26, 2015
Improving Data Sharing Security
in Cloud Computing
Ibtissam Ennajjar Youness Tabii Abdelhamid Benkaddour
Lirosa laboratory, Faculty of Lirosa laboratory, Faculty of Lirosa laboratory, Faculty of
Sciences Sciences Sciences
Abdelmalek Essaadi University Abdelmalek Essaadi University Abdelmalek Essaadi University
Tetuan, Morocco Tetuan, Morocco Tetuan, Morocco
ennajjar.ibtissam@gmail.com youness.tabii@gmail.com Ham.benkaddour@yahoo.fr
Abstract— Cloud computing has emerged as a new computing of computing as a service rather than as a product. When we
paradigm where all IT infrastructure can be outsourced and use the word computing, it includes the cost of CPU, the
working as on premise. It offers numerous advantages both for memory, the storage, network and other software required to
customers and providers and especially at the cost level that is create the ecosystem needed by an IT infrastructure. So they try
typically low compared to buying your own resources, to bring together several existent technologies to come out with
configuring and managing them. One of the tremendous services a new complex computing concept called cloud computing.
is the data sharing and the data storage. Customers can Cloud computing gives the client cost efficiency, unlimited
outsource a huge number of data in cloud without having to storage, scalability, mobility, accessibility and several other
worry about the capacity of memory or the size of data as cloud
advantages to ensure that the work is done correctly and safely.
system manage the scalability of servers needed to contains your
data. Cloud is flexible, scalable and dynamic so don’t worry
The mechanism consists of a migration from owned resources
about capacities. But, one of the predominant concerns to shared resources in which client users receive information
encountered in cloud and that can change your mind about this technology services, on demand, from third-party service
nice view, is security. As more and more sensitive data and providers via the Internet.
personal information placed in the cloud, security concerns grow This said, it is true that cloud computing offers potential
up. Building trust in providers it is not an easy task with an benefits but that should not blind cloud consumers to its main
amount of outages and threats declared since adoption of cloud risk and disadvantage which is security and privacy. Moving
computing. In this paper, we give a new approach to enhance the
sensitive and personal data in public cloud may be a bad deal,
security of data outsourced in cloud environment. The approach
is based on Cipher Policy- Attribute Based Encryption (CP-ABE)
unless having a great trust in all parties interacting in cloud
scheme. It consists of encrypting data before outsourcing it and environment. The entire IT infrastructure is under the control
controlling the access to it by encryption. Our method offers of the cloud provider. Also, it must not be forgotten that when
scalability, flexibility and fine grained access control of data in this infrastructure is created, it inherits all security concerns
cloud. Also, it provides an efficient manner to share confidential that the distributed systems and virtual resources encounter in
data on cloud servers. different levels like: data leakage, data remanence, hypervisor
security issues [1], network penetration, insecure SSL trust
Keywords—cloud computing; security; data; attribute based configuration, injection flaws like SQL, Distributed Denial of
encryption; access control; data sharing Service attacks and others.
Additionally, the centralization of resources and the shared
I. INTRODUCTION data environment make the cloud provider a very tempting
target. Hackers, malicious insiders and malicious tenants can
Over the last decades, computing world has seen
be source of various man-made threats. So, the menace of
considerable changes. The combination of many technologies
accessing user’s sensitive information stored in cloud system is
like virtualization, utility computing, web, clustering, networks
very high.
and others make the computing environment suitable to create
new paradigms to encourage the use of technology and Access control is a fundamental feature of information
enhance its efficiency. Also, the advent of various internet- security, since it consists of granting users authorization to
connected devices and the high level of internet consumption access different resources. Improper or malicious operation can
over the world lead IT experts to wonder: why not open up the cause very potential damage to an individual or organization.
world of computing to a wider variety of applications and Guarantying good access control mechanism in cloud can have
enjoy its numerous goods and services by giving access a hugely positive impact on secrecy, integrity and availability
through any internet connection. So, we can imagine a delivery of data and then on cloud environment security [2, 3, and 4].
46
�Surely there are many kinds of Access control models and systems and then with cloud environments. Also data can be
schemes which have demonstrated their effectiveness, but with stored in untrusted server as they are encrypted and the access
the particularity of cloud infrastructure, it has become to it is controlled by encryption. But as any new technique,
necessary to strengthen earlier models and explore new ABE had also its drawbacks and limits due to the lack of
approaches to meet changes introduced by cloud computing in expression of attributes described as not very expressive, what
organizations’ infrastructure. limits its applicability to larger systems [8].
In this paper we will propose a new cryptographic access What was a wake-up call for researchers to extend it and
control approach for cloud storage. It is based on Ciphertext produce other concepts based on it such as KP-ABE, CP-ABE,
Policy - Attribute Based Encryption scheme. We propose a HABE, HASBE and MAABE. Here we give a little description
new method of applying CP-ABE scheme in cloud architecture of each one of these listed schemes.
with the target of improving security of shared data in cloud
area. A. Key-Policy Attribute Based Encryption (KP-ABE)
The paper is structured as follows: section II introduces The Key-Policy Attribute Based Encryption (KP-ABE)
many cryptographic access control techniques used to secure scheme was proposed in 2006 by Goyal et al based on ABE
data in outsourced servers. Section III presents cloud security [8]. Encrypted data in KP-ABE is combined to a set of
needs in term of data sharing and access control and exposes attributes that describe the user who has the authorization to
our approach. Finally, Section IV discusses the conclusion and decrypt data. To do a matching between user and data, user’s
perspectives. private key must contain an access policy to decrypt data when
ciphertext attributes match the policy. For example, a
II. CRYPTOGRAPHIC SCHEMES OF ACCESS CONTROL ciphertext with attributes {Computer Science AND Student}
and an access structure {Computer Science AND (Student OR
Since cloud storage is full with personal and sensitive data Professor)} can be combined and then the data can be visible to
shared by consumers, the higher complex that obsesses cloud the user.
users is how to keep data confidential and accord access only to
authorized individual or group. Ensuring data confidentiality B. Ciphertext- Policy Attribute Based Encryption (CP-ABE)
and a fine grained, scalable and flexible access control system
still a preeminent concern in cloud area, what makes Ciphertext- Policy Attribute Based Encryption (CP-ABE)
researchers looking continuously of new methods to secure was proposed by Bethencourt et al based on ABE and KP-ABE
data sharing and data access over cloud computing. [9]. The main idea of this scheme is not very far from KP-
Confidentiality can be reached by encrypting data before ABE, there is just a difference at level of the incorporation of
outsourcing it. And to secure access control, there are many the access policy. In CP-ABE, the access policy is in the
encryption schemes for access control that are proposed to encrypted data (ciphertext) and the set of descriptive attributes
access encrypted data in untrusted servers. In this section we are associated with the user’s private key, unlike KP-ABE
will expose some of them that can be helpful to ensure security where the access policy is included in user’s private key and
in cloud. the set of attributes characterizes the ciphertext. The user can
decrypt data if only if his private key’s attributes correspond to
Starting with traditional public key encryption (PKE) and the access structure. Let us take, for instance the following
why it is in some situations qualified as outdated. Applying access structure combined with the ciphertext {Computer
PKE in cloud can be an acceptable manner to strengthen Science AND (Professor OR Student)}. If user’s private key
confidentiality of data but the scalability of cloud and a huge has a set of attributes {Computer Science AND Student} OR
number of users make this technique impractical. In PKE {Computer Science AND Professor}, then the user can access
process, the data owner needs one public key for each user to to decrypted data, what don’t work with other combinations.
encrypt data what makes handling keys difficult and it impacts See Figure2.
storage computation capacity [6]. Moreover the loss of private
key or its theft can be a big dilemma [7]. C. Hierarchical Attribute Based Encryption(HABE)
Consequently, researchers shift their attention towards In 2011, Wang et al. proposed a hierarchical attribute-
other techniques like Attribute Based Encryption (ABE). based encryption scheme composed of a hierarchical identity-
First researches about attribute-based encryption were based encryption scheme (HIBE) and a ciphertext-policy
presented by Sahai and Waters in [8] as a new type of Identity- attribute-based encryption scheme [11]. This scheme uses the
Based encryption (IBE) scheme. In ABE system the encryption property of hierarchical generation of keys in HIBE scheme to
scheme is based on a set of attributes that contribute in the generate keys. It was proposed to be applied in cloud storage
generation of the private and public keys. For instance, if you where the cloud storage service, data owner, the root
want to share a document or any data with a specific group of authority, the do- main authority, and data users are the actors
users you have first to specify a number of attributes that in this process. The role of cloud storage service is to let a data
describe this group then you encrypt your data based on those owner can store data and share data with users. The role of
attributes. When users want to see data they must provide a
data owner is encrypting data and sharing data with users. The
private key with a set of attributes that is close to ones used in
role of the root authority is generating system parameters and
encryption. In this way, ciphertext can be encrypted to a group
of users and not just for one as in traditional public key domain keys, to distribute them. The role of domain authority
encryption. What make ABE scheme suitable with distributed is managing the domain authority at next level and all users in
47
�its domain, to delegate keys for them. Besides, it can distribute
secret keys for users. And users can use their secret keys to
decrypt the encrypted data and obtain the message [5].
D. Hierarchical Attribute Set Based Encryption(HASBE)
Zhiguo Wan et al proposed HASBE scheme in [12]. The
HASBE scheme extends the ASBE scheme to handle the
hierarchical structure of system as shown in figure 1. The
trusted authority is responsible for managing top-level domain
authorities. It is root level authority. For example, for an
enterprise, employees are kept in the lowest domain level and
above that there is department and above that there is top level
of domain we call it as a trusted domain. It generates and
distributes system parameters and also root-master keys. And
it authorizes the top-level domain authorities. A domain
authority delegates the keys to its next level sub-domain
authorities. Each user in the system is assigned a key structure.
Key specifies the attributes associated with the user’s
decryption key. HASBE scheme was proposed for scalable,
flexible, and fine grained access control in cloud computing. It
consists of hierarchical structure of system users by using a
delegation algorithm to CP-ASBE.
E. Multi AuthorityAttribute Based Encryption(MAABE)
Figure1: HASBE Model
Multi-authority ABE system was proposed by Chase. It
consists of many attributes authorities and many users [13]. attribute key generation algorithm, and return the result to the
There are also a set of system wide public parameters
user. Any party can also choose to encrypt a message, in
available to everyone (either created by a trusted party, or by a
which case he uses the public parameters together with an
distributed protocol between the authorities). A user can
attribute set of his choice to form the ciphertext. Any user who
choose to go to an attribute authority, prove that it is entitled
has decryption keys corresponding to an appropriate attribute
to some of the attributes handled by that authority, and request set can use them for decryption.
the corresponding decryption keys. The authority will run the
Figure2: CP-ABE process
48
� III. PROPOSED APPROACH
In cloud computing, there are many different issues related (authority) to manage the publication of
to the security of data. When we outsource our data to security keys that is different from the cloud
untrusted servers managed by a third party, it is very provider. It is recommended to be sure that
recommended to encrypt it before, and having a control to who there are no communication between cloud
can access to it. The existing systems don’t usually provide an provider and the authority who manage keys.
efficient mode of security that can resist against possible attack
of clouds like collusion attack, DDOS attack and others that 3. The access control must be fine grained.
can lead our data to be stolen or lost. Furthermore, designing a Users sharing the same access structure can
useful and effective manner of securing the data shared in have different access rights.
cloud is based on applying a number of instructions that suit
with the cloud distinction. We try here to give some of them 4. The system should be scalable as cloud it is.
that we will take in consideration in our system architecture. The system has to work efficiently even if the
Then we give the scenario of our model. number of users increases.
A. System instructions 5. The system should manage the user accountability.
The key must be with the appropriate user.
Untruthful user can share the secret key with
1. The data owner should to encrypt its data before unauthorized one.
outsourcing it and identifying who can access the
ciphertext. 6. The system must manage the revocation of user.
This instruction can be realized by If a user changes his profile or quit the system
incorporating CP-ABE in our model. The the access accorded to him must be denied.
owner will create the ciphertext by combining 7. The system has to be a collusion resistant.
data, public key and the access control
structure where he defines the correspondent The combination of attributes in order to
user. satisfy the access policy is not legal.
2. Separate the entity distributing keys from the cloud CP-ABE and other encryption schemes have
provider. the possibility to prevent collusion attack.
The owner must choose a third party entity
Figure 3 : proposed architecture
49
�B. Proposed model
Our model consists of applying the CP-ABE scheme in
cloud computing by introducing a third party that manages REFERENCES
keys distribution independently from the cloud provider.
[1] S. Subashini, V.Kavitha, “A survey on security issues in service delivery
As represented in figure 3, the data owner first asks the models of cloud computing” Journal of Network and Computer
authority to generate the master key and the public key by Applications pp. 1–11, 2011.
which he will encrypt its data. Then he encrypts data using the [2] S. rehman, R. Gautam,” Research on Access Control Techniques in
public key combined with the access policy that he wants to SaaS of Cloud Computing” , SSCC 2014, CCIS 467, pp. 92–100, 2014.
put on data to specify who can access it and so who can [3] R.Aluvalu, L. Muddana, “A Survey on Access Control Models in Cloud
decrypt it. After that he sends encrypted data to cloud for Computing”, Emerging ICT for Bridging the Future - Proceedings of the
storing it. When a user asks for data, he receives encrypted one. 49th Annual Convention of the Computer Society of India (CSI)
Volume 1, pp 653-664, 2015.
To decrypt it he must send its access attributes to the third
[4] N. Meghanathan, “Review of access control models for cloud
party, which generates a private key according to the master computing” Computer Science & Information Technology (CS & IT),
key of data and the user’s attributes and sends it to user. If pp 77-85, 2013.
private key contains access attributes that matches the access [5] C. Lee, P. Chung, M. Hwang ,“ A survey on Attribute-based Encryption
policy incorporated in cipher data then data will be decrypted. Schemes of Access Control in Cloud Environments”, International
Otherwise, user can’t see it and the operation fails. Journal of Network Security, Vol.15, No.4, PP.231-240, July 2013.
[6] M. Rasseena, G R. Harikrishnan, “Secure Sharing of Data over Cloud
Computing using Different Encryption Schemes An overview”,
International Journal of Computing and Technology, Volume1, Issue 2,
pp 8-11, 2014 .
CONCLUSION
[7] A.Sahai, B.Waters, “Fuzzy Identity-Based Encryption”, Advances in
Cryptology V EUROCRYPT, vol.3494 of LNCS, pp. 457-473, 2005.
On this paper we present a new approach to enhance [8] V.Goyal et al., “Attribute Based Encryption for Fine-Grained Access
security when sharing data over cloud computing that consists Control of Encrypted Data”, ACM conference on Computer and
of using Ciphertext Policy Attribute Based Encryption scheme Communicatios Security(ACM CCS),2006.
to ensure fine grained and flexible access control system. We [9] J. Bethencourt et al., “Ciphertext-Policy Attribute-Based Encryption”,
give the architecture of our model with the aim to design it and IEEE Symposium on Security and Privacy(SP’07),2007.
construct a specific security model based on mathematical [10] S.Gokuldev, S.Leelavathi, “HASBE: AHierarchical Attribute-Based
Solution for Flexible and Scalable Access Control by Separate
modules in future. Our model represents an extension of the Encryption/Decryption in Cloud Computing”, International Journal of
use of CP-ABE scheme in cloud storage. In our future work we Engineering Science and Innovative Technology(IJESIT), Volume 2,
tend to detail more our architecture, construct a more Issue 3, May 2013.
expressive security scheme and try to handle many CP-ABE [11] G.Wang, Q.Liu, J.Wu, “Hierarchical Attribute-Based Encryption for
limits like user revocation and full delegation with the purpose Fine-Grained Access Control in Cloud Storage Serrvices” , in
to provide an efficient encryption scheme designed to cloud Proceeding of ACM conference Computer and Communications
Security (ACM CCS), Chicago, IL,2010.
environment.
[12] WAN, Zhiguo; LIU, June; and DENG, Huijie, Robert. HASBE: A
Hierarchical Attribute-Based Solution for Flexible and Scalable Access
Control in Cloud ComputingIEEE Transactions on Information
Forensics and Security (TIFS), pp. 743-754, 2012.
[13] Melissa Chase. Multi-authority Attribute Based Encryption. In TCC,
volume 4392 of LNCS, pp. 515–534. Springer, 2007.
50
�