Proceedings of the International Conference on Big Data, Cloud and Applications Tetuan, Morocco, May 25 - 26, 2015 Improving Data Sharing Security in Cloud Computing Ibtissam Ennajjar Youness Tabii Abdelhamid Benkaddour Lirosa laboratory, Faculty of Lirosa laboratory, Faculty of Lirosa laboratory, Faculty of Sciences Sciences Sciences Abdelmalek Essaadi University Abdelmalek Essaadi University Abdelmalek Essaadi University Tetuan, Morocco Tetuan, Morocco Tetuan, Morocco ennajjar.ibtissam@gmail.com youness.tabii@gmail.com Ham.benkaddour@yahoo.fr Abstract— Cloud computing has emerged as a new computing of computing as a service rather than as a product. When we paradigm where all IT infrastructure can be outsourced and use the word computing, it includes the cost of CPU, the working as on premise. It offers numerous advantages both for memory, the storage, network and other software required to customers and providers and especially at the cost level that is create the ecosystem needed by an IT infrastructure. So they try typically low compared to buying your own resources, to bring together several existent technologies to come out with configuring and managing them. One of the tremendous services a new complex computing concept called cloud computing. is the data sharing and the data storage. Customers can Cloud computing gives the client cost efficiency, unlimited outsource a huge number of data in cloud without having to storage, scalability, mobility, accessibility and several other worry about the capacity of memory or the size of data as cloud advantages to ensure that the work is done correctly and safely. system manage the scalability of servers needed to contains your data. Cloud is flexible, scalable and dynamic so don’t worry The mechanism consists of a migration from owned resources about capacities. But, one of the predominant concerns to shared resources in which client users receive information encountered in cloud and that can change your mind about this technology services, on demand, from third-party service nice view, is security. As more and more sensitive data and providers via the Internet. personal information placed in the cloud, security concerns grow This said, it is true that cloud computing offers potential up. Building trust in providers it is not an easy task with an benefits but that should not blind cloud consumers to its main amount of outages and threats declared since adoption of cloud risk and disadvantage which is security and privacy. Moving computing. In this paper, we give a new approach to enhance the sensitive and personal data in public cloud may be a bad deal, security of data outsourced in cloud environment. The approach is based on Cipher Policy- Attribute Based Encryption (CP-ABE) unless having a great trust in all parties interacting in cloud scheme. It consists of encrypting data before outsourcing it and environment. The entire IT infrastructure is under the control controlling the access to it by encryption. Our method offers of the cloud provider. Also, it must not be forgotten that when scalability, flexibility and fine grained access control of data in this infrastructure is created, it inherits all security concerns cloud. Also, it provides an efficient manner to share confidential that the distributed systems and virtual resources encounter in data on cloud servers. different levels like: data leakage, data remanence, hypervisor security issues [1], network penetration, insecure SSL trust Keywords—cloud computing; security; data; attribute based configuration, injection flaws like SQL, Distributed Denial of encryption; access control; data sharing Service attacks and others. Additionally, the centralization of resources and the shared I. INTRODUCTION data environment make the cloud provider a very tempting target. Hackers, malicious insiders and malicious tenants can Over the last decades, computing world has seen be source of various man-made threats. So, the menace of considerable changes. The combination of many technologies accessing user’s sensitive information stored in cloud system is like virtualization, utility computing, web, clustering, networks very high. and others make the computing environment suitable to create new paradigms to encourage the use of technology and Access control is a fundamental feature of information enhance its efficiency. Also, the advent of various internet- security, since it consists of granting users authorization to connected devices and the high level of internet consumption access different resources. Improper or malicious operation can over the world lead IT experts to wonder: why not open up the cause very potential damage to an individual or organization. world of computing to a wider variety of applications and Guarantying good access control mechanism in cloud can have enjoy its numerous goods and services by giving access a hugely positive impact on secrecy, integrity and availability through any internet connection. So, we can imagine a delivery of data and then on cloud environment security [2, 3, and 4]. 46 Surely there are many kinds of Access control models and systems and then with cloud environments. Also data can be schemes which have demonstrated their effectiveness, but with stored in untrusted server as they are encrypted and the access the particularity of cloud infrastructure, it has become to it is controlled by encryption. But as any new technique, necessary to strengthen earlier models and explore new ABE had also its drawbacks and limits due to the lack of approaches to meet changes introduced by cloud computing in expression of attributes described as not very expressive, what organizations’ infrastructure. limits its applicability to larger systems [8]. In this paper we will propose a new cryptographic access What was a wake-up call for researchers to extend it and control approach for cloud storage. It is based on Ciphertext produce other concepts based on it such as KP-ABE, CP-ABE, Policy - Attribute Based Encryption scheme. We propose a HABE, HASBE and MAABE. Here we give a little description new method of applying CP-ABE scheme in cloud architecture of each one of these listed schemes. with the target of improving security of shared data in cloud area. A. Key-Policy Attribute Based Encryption (KP-ABE) The paper is structured as follows: section II introduces The Key-Policy Attribute Based Encryption (KP-ABE) many cryptographic access control techniques used to secure scheme was proposed in 2006 by Goyal et al based on ABE data in outsourced servers. Section III presents cloud security [8]. Encrypted data in KP-ABE is combined to a set of needs in term of data sharing and access control and exposes attributes that describe the user who has the authorization to our approach. Finally, Section IV discusses the conclusion and decrypt data. To do a matching between user and data, user’s perspectives. private key must contain an access policy to decrypt data when ciphertext attributes match the policy. For example, a II. CRYPTOGRAPHIC SCHEMES OF ACCESS CONTROL ciphertext with attributes {Computer Science AND Student} and an access structure {Computer Science AND (Student OR Since cloud storage is full with personal and sensitive data Professor)} can be combined and then the data can be visible to shared by consumers, the higher complex that obsesses cloud the user. users is how to keep data confidential and accord access only to authorized individual or group. Ensuring data confidentiality B. Ciphertext- Policy Attribute Based Encryption (CP-ABE) and a fine grained, scalable and flexible access control system still a preeminent concern in cloud area, what makes Ciphertext- Policy Attribute Based Encryption (CP-ABE) researchers looking continuously of new methods to secure was proposed by Bethencourt et al based on ABE and KP-ABE data sharing and data access over cloud computing. [9]. The main idea of this scheme is not very far from KP- Confidentiality can be reached by encrypting data before ABE, there is just a difference at level of the incorporation of outsourcing it. And to secure access control, there are many the access policy. In CP-ABE, the access policy is in the encryption schemes for access control that are proposed to encrypted data (ciphertext) and the set of descriptive attributes access encrypted data in untrusted servers. In this section we are associated with the user’s private key, unlike KP-ABE will expose some of them that can be helpful to ensure security where the access policy is included in user’s private key and in cloud. the set of attributes characterizes the ciphertext. The user can decrypt data if only if his private key’s attributes correspond to Starting with traditional public key encryption (PKE) and the access structure. Let us take, for instance the following why it is in some situations qualified as outdated. Applying access structure combined with the ciphertext {Computer PKE in cloud can be an acceptable manner to strengthen Science AND (Professor OR Student)}. If user’s private key confidentiality of data but the scalability of cloud and a huge has a set of attributes {Computer Science AND Student} OR number of users make this technique impractical. In PKE {Computer Science AND Professor}, then the user can access process, the data owner needs one public key for each user to to decrypted data, what don’t work with other combinations. encrypt data what makes handling keys difficult and it impacts See Figure2. storage computation capacity [6]. Moreover the loss of private key or its theft can be a big dilemma [7]. C. Hierarchical Attribute Based Encryption(HABE) Consequently, researchers shift their attention towards In 2011, Wang et al. proposed a hierarchical attribute- other techniques like Attribute Based Encryption (ABE). based encryption scheme composed of a hierarchical identity- First researches about attribute-based encryption were based encryption scheme (HIBE) and a ciphertext-policy presented by Sahai and Waters in [8] as a new type of Identity- attribute-based encryption scheme [11]. This scheme uses the Based encryption (IBE) scheme. In ABE system the encryption property of hierarchical generation of keys in HIBE scheme to scheme is based on a set of attributes that contribute in the generate keys. It was proposed to be applied in cloud storage generation of the private and public keys. For instance, if you where the cloud storage service, data owner, the root want to share a document or any data with a specific group of authority, the do- main authority, and data users are the actors users you have first to specify a number of attributes that in this process. The role of cloud storage service is to let a data describe this group then you encrypt your data based on those owner can store data and share data with users. The role of attributes. When users want to see data they must provide a data owner is encrypting data and sharing data with users. The private key with a set of attributes that is close to ones used in role of the root authority is generating system parameters and encryption. In this way, ciphertext can be encrypted to a group of users and not just for one as in traditional public key domain keys, to distribute them. The role of domain authority encryption. What make ABE scheme suitable with distributed is managing the domain authority at next level and all users in 47 its domain, to delegate keys for them. Besides, it can distribute secret keys for users. And users can use their secret keys to decrypt the encrypted data and obtain the message [5]. D. Hierarchical Attribute Set Based Encryption(HASBE) Zhiguo Wan et al proposed HASBE scheme in [12]. The HASBE scheme extends the ASBE scheme to handle the hierarchical structure of system as shown in figure 1. The trusted authority is responsible for managing top-level domain authorities. It is root level authority. For example, for an enterprise, employees are kept in the lowest domain level and above that there is department and above that there is top level of domain we call it as a trusted domain. It generates and distributes system parameters and also root-master keys. And it authorizes the top-level domain authorities. A domain authority delegates the keys to its next level sub-domain authorities. Each user in the system is assigned a key structure. Key specifies the attributes associated with the user’s decryption key. HASBE scheme was proposed for scalable, flexible, and fine grained access control in cloud computing. It consists of hierarchical structure of system users by using a delegation algorithm to CP-ASBE. E. Multi AuthorityAttribute Based Encryption(MAABE) Figure1: HASBE Model Multi-authority ABE system was proposed by Chase. It consists of many attributes authorities and many users [13]. attribute key generation algorithm, and return the result to the There are also a set of system wide public parameters user. Any party can also choose to encrypt a message, in available to everyone (either created by a trusted party, or by a which case he uses the public parameters together with an distributed protocol between the authorities). A user can attribute set of his choice to form the ciphertext. Any user who choose to go to an attribute authority, prove that it is entitled has decryption keys corresponding to an appropriate attribute to some of the attributes handled by that authority, and request set can use them for decryption. the corresponding decryption keys. The authority will run the Figure2: CP-ABE process 48 III. PROPOSED APPROACH In cloud computing, there are many different issues related (authority) to manage the publication of to the security of data. When we outsource our data to security keys that is different from the cloud untrusted servers managed by a third party, it is very provider. It is recommended to be sure that recommended to encrypt it before, and having a control to who there are no communication between cloud can access to it. The existing systems don’t usually provide an provider and the authority who manage keys. efficient mode of security that can resist against possible attack of clouds like collusion attack, DDOS attack and others that 3. The access control must be fine grained. can lead our data to be stolen or lost. Furthermore, designing a  Users sharing the same access structure can useful and effective manner of securing the data shared in have different access rights. cloud is based on applying a number of instructions that suit with the cloud distinction. We try here to give some of them 4. The system should be scalable as cloud it is. that we will take in consideration in our system architecture.  The system has to work efficiently even if the Then we give the scenario of our model. number of users increases. A. System instructions 5. The system should manage the user accountability.  The key must be with the appropriate user. Untruthful user can share the secret key with 1. The data owner should to encrypt its data before unauthorized one. outsourcing it and identifying who can access the ciphertext. 6. The system must manage the revocation of user.  This instruction can be realized by  If a user changes his profile or quit the system incorporating CP-ABE in our model. The the access accorded to him must be denied. owner will create the ciphertext by combining 7. The system has to be a collusion resistant. data, public key and the access control structure where he defines the correspondent  The combination of attributes in order to user. satisfy the access policy is not legal. 2. Separate the entity distributing keys from the cloud  CP-ABE and other encryption schemes have provider. the possibility to prevent collusion attack.  The owner must choose a third party entity Figure 3 : proposed architecture 49 B. Proposed model Our model consists of applying the CP-ABE scheme in cloud computing by introducing a third party that manages REFERENCES keys distribution independently from the cloud provider. [1] S. Subashini, V.Kavitha, “A survey on security issues in service delivery As represented in figure 3, the data owner first asks the models of cloud computing” Journal of Network and Computer authority to generate the master key and the public key by Applications pp. 1–11, 2011. which he will encrypt its data. Then he encrypts data using the [2] S. rehman, R. Gautam,” Research on Access Control Techniques in public key combined with the access policy that he wants to SaaS of Cloud Computing” , SSCC 2014, CCIS 467, pp. 92–100, 2014. put on data to specify who can access it and so who can [3] R.Aluvalu, L. Muddana, “A Survey on Access Control Models in Cloud decrypt it. After that he sends encrypted data to cloud for Computing”, Emerging ICT for Bridging the Future - Proceedings of the storing it. When a user asks for data, he receives encrypted one. 49th Annual Convention of the Computer Society of India (CSI) Volume 1, pp 653-664, 2015. To decrypt it he must send its access attributes to the third [4] N. Meghanathan, “Review of access control models for cloud party, which generates a private key according to the master computing” Computer Science & Information Technology (CS & IT), key of data and the user’s attributes and sends it to user. If pp 77-85, 2013. private key contains access attributes that matches the access [5] C. Lee, P. Chung, M. Hwang ,“ A survey on Attribute-based Encryption policy incorporated in cipher data then data will be decrypted. Schemes of Access Control in Cloud Environments”, International Otherwise, user can’t see it and the operation fails. Journal of Network Security, Vol.15, No.4, PP.231-240, July 2013. [6] M. Rasseena, G R. Harikrishnan, “Secure Sharing of Data over Cloud Computing using Different Encryption Schemes An overview”, International Journal of Computing and Technology, Volume1, Issue 2, pp 8-11, 2014 . CONCLUSION [7] A.Sahai, B.Waters, “Fuzzy Identity-Based Encryption”, Advances in Cryptology V EUROCRYPT, vol.3494 of LNCS, pp. 457-473, 2005. On this paper we present a new approach to enhance [8] V.Goyal et al., “Attribute Based Encryption for Fine-Grained Access security when sharing data over cloud computing that consists Control of Encrypted Data”, ACM conference on Computer and of using Ciphertext Policy Attribute Based Encryption scheme Communicatios Security(ACM CCS),2006. to ensure fine grained and flexible access control system. We [9] J. Bethencourt et al., “Ciphertext-Policy Attribute-Based Encryption”, give the architecture of our model with the aim to design it and IEEE Symposium on Security and Privacy(SP’07),2007. construct a specific security model based on mathematical [10] S.Gokuldev, S.Leelavathi, “HASBE: AHierarchical Attribute-Based Solution for Flexible and Scalable Access Control by Separate modules in future. Our model represents an extension of the Encryption/Decryption in Cloud Computing”, International Journal of use of CP-ABE scheme in cloud storage. In our future work we Engineering Science and Innovative Technology(IJESIT), Volume 2, tend to detail more our architecture, construct a more Issue 3, May 2013. expressive security scheme and try to handle many CP-ABE [11] G.Wang, Q.Liu, J.Wu, “Hierarchical Attribute-Based Encryption for limits like user revocation and full delegation with the purpose Fine-Grained Access Control in Cloud Storage Serrvices” , in to provide an efficient encryption scheme designed to cloud Proceeding of ACM conference Computer and Communications Security (ACM CCS), Chicago, IL,2010. environment. [12] WAN, Zhiguo; LIU, June; and DENG, Huijie, Robert. HASBE: A Hierarchical Attribute-Based Solution for Flexible and Scalable Access Control in Cloud ComputingIEEE Transactions on Information Forensics and Security (TIFS), pp. 743-754, 2012. [13] Melissa Chase. Multi-authority Attribute Based Encryption. In TCC, volume 4392 of LNCS, pp. 515–534. Springer, 2007. 50