Multi-authority proxy re-encryption based on CPABE for cloud storage systems

The dissociation between data management and data ownership makes it difficult to protect data security and privacy in cloud storage systems.Traditional encryption technologies are not suitable for data protection in cloud storage systems.A novel multi-authority proxy re-encryption mechanism based on ciphertext-policy attribute-based encryption（MPRE-CPABE） is proposed for cloud storage systems.MPRE-CPABE requires data owner to split each file into two blocks,one big block and one small block.The small block is used to encrypt the big one as the private key,and then the encrypted big block will be uploaded to the cloud storage system.Even if the uploaded big block of file is stolen,illegal users cannot get the complete information of the file easily.Ciphertext-policy attribute-based encryption（CPABE）is always criticized for its heavy overload and insecure issues when distributing keys or revoking user＇s access right.MPRE-CPABE applies CPABE to the multi-authority cloud storage system,and solves the above issues.The weighted access structure（WAS） is proposed to support a variety of fine-grained threshold access control policy in multi-authority environments,and reduce the computational cost of key distribution.Meanwhile,MPRE-CPABE uses proxy re-encryption to reduce the computational cost of access revocation.Experiments are implemented on platforms of Ubuntu and CloudSim.Experimental results show that MPRE-CPABE can greatly reduce the computational cost of the generation of key components and the revocation of user＇s access right.MPRE-CPABE is also proved secure under the security model of decisional bilinear Diffie-Hellman（DBDH）.

NC-MACPABE: Non-centered multi-authority proxy re-encryption based on CP-ABE for cloud storage systems

The cloud storage service cannot be completely trusted because of the separation of data management and ownership, leading to the difficulty of data privacy protection. In order to protect the privacy of data on untrusted servers of cloud storage, a novel multi-authority access control scheme without a trustworthy central authority has been proposed based on CP-ABE for cloud storage systems, called non-centered multi-authority proxy re-encryption based on the cipher-text policy attribute-based encryption(NC-MACPABE). NC-MACPABE optimizes the weighted access structure(WAS) allowing different levels of operation on the same file in cloud storage system. The concept of identity dyeing is introduced to improve the users' information privacy further. The re-encryption algorithm is improved in the scheme so that the data owner can revoke user's access right in a more flexible way. The scheme is proved to be secure. And the experimental results also show that removing the central authority can resolve the existing performance bottleneck in the multi-authority architecture with a central authority, which significantly improves user experience when a large number of users apply for accesses to the cloud storage system at the same time.

Hybrid Cloud Security by Revocable KUNodes-Storage with Identity-Based Encryption

Cloud storage is a service involving cloud service providers providingstorage space to customers. Cloud storage services have numerous advantages,including convenience, high computation, and capacity, thereby attracting usersto outsource data in the cloud. However, users outsource data directly via cloudstage services that are unsafe when outsourcing data is sensitive for users. Therefore, cipher text-policy attribute-based encryption is a promising cryptographicsolution in a cloud environment, and can be drawn up for access control by dataowners (DO) to define access policy. Unfortunately, an outsourced architectureapplied with attribute-based encryption introduces numerous challenges, including revocation. This issue is a threat to the data security of DO. Furthermore,highly secure and flexible cipher text-based attribute access control with role hierarchy user grouping in cloud storage is implemented by extending the KUNodes(revocation) storage identity-based encryption. Result is evaluated using Cloudsim, and our algorithm outperforms in terms of computational cost by consuming32 MB for 150-MB files.

Analysis of Secured Cloud Data Storage Model for Information

This paper was motivated by the existing problems of Cloud Data storage in Imo State University, Nigeria such as outsourced data causing the loss of data and misuse of customer information by unauthorized users or hackers, thereby making customer/client data visible and unprotected. Also, this led to enormous risk of the clients/customers due to defective equipment, bugs, faulty servers, and specious actions. The aim if this paper therefore is to analyze a secure model using Unicode Transformation Format (UTF) base 64 algorithms for storage of data in cloud securely. The methodology used was Object Orientated Hypermedia Analysis and Design Methodology (OOHADM) was adopted. Python was used to develop the security model;the role-based access control (RBAC) and multi-factor authentication (MFA) to enhance security Algorithm were integrated into the Information System developed with HTML 5, JavaScript, Cascading Style Sheet (CSS) version 3 and PHP7. This paper also discussed some of the following concepts;Development of Computing in Cloud, Characteristics of computing, Cloud deployment Model, Cloud Service Models, etc. The results showed that the proposed enhanced security model for information systems of cooperate platform handled multiple authorization and authentication menace, that only one login page will direct all login requests of the different modules to one Single Sign On Server (SSOS). This will in turn redirect users to their requested resources/module when authenticated, leveraging on the Geo-location integration for physical location validation. The emergence of this newly developed system will solve the shortcomings of the existing systems and reduce time and resources incurred while using the existing system.

An Efficient Ciphertext-Policy Attribute-Based Encryption Scheme with Policy Update

Ciphertext-policy attribute-based encryption(CP-ABE)is a promising cryptographic solution to the problem for enforcing fine-grained access control over encrypted data in the cloud.However,when applying CP-ABE to data outsourcing scenarios,we have to address the challenging issue of policy updates because access control elements,such as users,attributes,and access rules may change frequently.In this paper,we propose a notion of access policy updatable ciphertext-policy attribute-based encryption(APU-CP-ABE)by combining the idea of ciphertext-policy attribute-based key encapsulation and symmetric proxy re-encryption.When an access policy update occurs,data owner is no longer required to download any data for re-encryption from the cloud,all he needs to do is generate a re-encryption key and produce a new encapsulated symmetric key,and then upload them to the cloud.The cloud server executes re-encryption without decryption.Because the re-encrypted ciphertext is encrypted under a completely new key,users cannot decrypt data even if they keep the old symmetric keys or parts of the previous ciphertext.We present an APU-CP-ABE construction based on Syalim et al.’s[Syalim,Nishide and Sakurai(2017)]improved symmetric proxy re-encryption scheme and Agrawal et al.’s[Agrawal and Chase(2017)]attribute-based message encryption scheme.It requires only 6 bilinear pairing operations for decryption,regardless of the number of attributes involved.This makes our construction particularly attractive when decryption is time-critical.

Generic attribute revocation systems for attribute-based encryption in cloud storage

Attribute-based encryption(ABE) has been a preferred encryption technology to solve the problems of data protection and access control, especially when the cloud storage is provided by third-party service providers.ABE can put data access under control at each data item level. However, ABE schemes have practical limitations on dynamic attribute revocation. We propose a generic attribute revocation system for ABE with user privacy protection. The attribute revocation ABE(AR-ABE) system can work with any type of ABE scheme to dynamically revoke any number of attributes.

Generic user revocation systems for attribute-based encryption in cloud storage

Cloud-based storage is a service model for businesses and individual users that involves paid or free storage resources. This service model enables on-demand storage capacity and management to users anywhere via the Internet. Because most cloud storage is provided by third-party service providers, the trust required for the cloud storage providers and the shared multi-tenant environment present special challenges for data protection and access control. Attribute-based encryption(ABE) not only protects data secrecy, but also has ciphertexts or decryption keys associated with fine-grained access policies that are automatically enforced during the decryption process. This enforcement puts data access under control at each data item level. However, ABE schemes have practical limitations on dynamic user revocation. In this paper, we propose two generic user revocation systems for ABE with user privacy protection, user revocation via ciphertext re-encryption(UR-CRE) and user revocation via cloud storage providers(UR-CSP), which work with any type of ABE scheme to dynamically revoke users.

Adaptive and Dynamic Mobile Phone Data Encryption Method

To enhance the security of user data in the clouds,we present an adaptive and dynamic data encryption method to encrypt user data in the mobile phone before it is uploaded.Firstly,the adopted data encryption algorithm is not static and uniform.For each encryption,this algorithm is adaptively and dynamically selected from the algorithm set in the mobile phone encryption system.From the mobile phone's character,the detail encryption algorithm selection strategy is confirmed based on the user's mobile phone hardware information,personalization information and a pseudo-random number.Secondly,the data is rearranged with a randomly selected start position in the data before being encrypted.The start position's randomness makes the mobile phone data encryption safer.Thirdly,the rearranged data is encrypted by the selected algorithm and generated key.Finally,the analysis shows this method possesses the higher security because the more dynamics and randomness are adaptively added into the encryption process.

MAVP-FE:Multi-Authority Vector Policy Functional Encryption with Efficient Encryption and Decryption

In cloud,data access control is a crucial way to ensure data security.Functional encryption(FE) is a novel cryptographic primitive supporting fine-grained access control of encrypted data in cloud.In FE,every ciphertext is specified with an access policy,a decryptor can access the data if and only if his secret key matches with the access policy.However,the FE cannot be directly applied to construct access control scheme due to the exposure of the access policy which may contain sensitive information.In this paper,we deal with the policy privacy issue and present a mechanism named multi-authority vector policy(MAVP) which provides hidden and expressive access policy for FE.Firstly,each access policy is encoded as a matrix and decryptors can only obtain the matched result from the matrix in MAVP.Then,we design a novel function encryption scheme based on the multi-authority spatial policy(MAVPFE),which can support privacy-preserving yet non-monotone access policy.Moreover,we greatly improve the efficiency of encryption and decryption in MAVP-FE by shifting the major computation of clients to the outsourced server.Finally,the security and performance analysis show that our MAVP-FE is secure and efficient in practice.

VRS-DB:preserve confidentiality of users'data using encryption approach

We focus on security and privacy problems within a cloud database framework,exploiting the DataBase as a Service(DBaaS).In this framework,an information proprietor drives out its information to a cloud database professional company.The Data-Owner(DO)encrypts the delicate information before transmission at the cloud database professional company end to offer information security.Current encryption ideas,nonetheless,are just halfway homomorphic as all of them intend to enable an explicit kind of calculation,which is accomplished on scrambled information.These current plans can't be coordinated to solve genuine functional queries that include activities of various types.We propose and evaluate a Verifiable Reliable Secure-DataBase(VRS-DB)framework on shared tables along with many primary operations on scrambled information,which enables information interoperability,and permits an extensive possibility of Structured Query Language(SQL)queries to be prepared by the service provider on the encoded data.We show that our security and privacy idea is protected from two forms of threats and are fundamentally proficient.

Secure approach to sharing digitized medical data in a cloud environment

Without proper security mechanisms, medical records stored electronically can be accessed more easily than physical files. Patient health information is scattered throughout the hospital environment, including laboratories, pharmacies, and daily medical status reports. The electronic format of medical reports ensures that all information is available in a single place. However, it is difficult to store and manage large amounts of data. Dedicated servers and a data center are needed to store and manage patient data. However, self-managed data centers are expensive for hospitals. Storing data in a cloud is a cheaper alternative. The advantage of storing data in a cloud is that it can be retrieved anywhere and anytime using any device connected to the Internet. Therefore, doctors can easily access the medical history of a patient and diagnose diseases according to the context. It also helps prescribe the correct medicine to a patient in an appropriate way. The systematic storage of medical records could help reduce medical errors in hospitals. The challenge is to store medical records on a third-party cloud server while addressing privacy and security concerns. These servers are often semi-trusted. Thus, sensitive medical information must be protected. Open access to records and modifications performed on the information in those records may even cause patient fatalities. Patient-centric health-record security is a major concern. End-to-end file encryption before outsourcing data to a third-party cloud server ensures security. This paper presents a method that is a combination of the advanced encryption standard and the elliptical curve Diffie-Hellman method designed to increase the efficiency of medical record security for users. Comparisons of existing and proposed techniques are presented at the end of the article, with a focus on the analyzing the security approaches between the elliptic curve and secret-sharing methods. This study aims to provide a high level of security for patient health records.

Verifiable searchable symmetric encryption for conjunctive keyword queries in cloud storage

Searchable symmetric encryption(SSE)has been introduced for secure outsourcing the encrypted database to cloud storage,while maintaining searchable features.Of various SSE schemes,most of them assume the server is honest but curious,while the server may be trustless in the real world.Considering a malicious server not honestly performing the queries,verifiable SSE(VSSE)schemes are constructed to ensure the verifiability of the search results.However,existing VSSE constructions only focus on single-keyword search or incur heavy computational cost during verification.To address this challenge,we present an efficient VSSE scheme,built on OXT protocol(Cash et al.,CRYPTO 2013),for conjunctive keyword queries with sublinear search overhead.The proposed VSSE scheme is based on a privacy-preserving hash-based accumulator,by leveraging a well-established cryptographic primitive,Symmetric Hidden Vector Encryption(SHVE).Our VSSE scheme enables both correctness and completeness verifiability for the result without pairing operations,thus greatly reducing the computational cost in the verification process.Besides,the proposed VSSE scheme can still provide a proof when the search result is empty.Finally,the security analysis and experimental evaluation are given to demonstrate the security and practicality of the proposed scheme.

Attribute Based DRM Scheme with Dynamic Usage Control in Cloud Computing

In order to achieve fine-grained access control in cloud computing,existing digital rights management(DRM) schemes adopt attribute-based encryption as the main encryption primitive.However,these schemes suffer from inefficiency and cannot support dynamic updating of usage rights stored in the cloud.In this paper,we propose a novel DRM scheme with secure key management and dynamic usage control in cloud computing.We present a secure key management mechanism based on attribute-based encryption and proxy re-encryption.Only the users whose attributes satisfy the access policy of the encrypted content and who have effective usage rights can be able to recover the content encryption key and further decrypt the content.The attribute based mechanism allows the content provider to selectively provide fine-grained access control of contents among a set of users,and also enables the license server to implement immediate attribute and user revocation.Moreover,our scheme supports privacy-preserving dynamic usage control based on additive homomorphic encryption,which allows the license server in the cloud to update the users' usage rights dynamically without disclosing the plaintext.Extensive analytical results indicate that our proposed scheme is secure and efficient.

A Lightweight ABE Security Protection Scheme in Cloud Environment Based on Attribute Weight

Attribute-based encryption(ABE)is a technique used to encrypt data,it has the flexibility of access control,high security,and resistance to collusion attacks,and especially it is used in cloud security protection.However,a large number of bilinear mappings are used in ABE,and the calculation of bilinear pairing is time-consuming.So there is the problem of low efficiency.On the other hand,the decryption key is not uniquely associated with personal identification information,if the decryption key is maliciously sold,ABE is unable to achieve accountability for the user.In practical applications,shared message requires hierarchical sharing in most cases,in this paper,we present a message security hierarchy ABE scheme for this scenario.Firstly,attributes were grouped and weighted according to the importance of attributes,and then an access structure based on a threshold tree was constructed according to attribute weight.This method saved the computing time for decryption while ensuring security and on-demand access to information for users.In addition,with the help of computing power in the cloud,two-step decryption was used to complete the access,which relieved the computing and storage burden on the client side.Finally,we simulated and tested the scheme based on CP-ABE,and selected different security levels to test its performance.The security proof and the experimental simulation result showthat the proposed scheme has high efficiency and good performance,and the solution implements hierarchical access to the shared message.

A Practical Group Key Management Algorithm for Cloud Data Sharing with Dynamic Group

Cloud data sharing service, which allows a group of people to work together to access and modify the shared data, is one of the most popular and efficient working styles in the enterprises. However, the cloud server is not completely trusted, and its security could be compromised by monetary reasons or caused by hacking and hardware errors. Therefore, despite of having advantages of scalability and flexibility, cloud storage service comes with privacy and the security concerns. A straightforward method to protect the user's privacy is to encrypt the data stored at the cloud. To enable the authenticated users to access the encrypted cloud data, a practical group key management algorithm for the cloud data sharing application is highly desired. The existing group key management mechanisms presume that the server is trusted. But, the cloud data service mode does not always meet this condition. How to manage the group keys to support the scenario of the cloud storage with a semi-trusted cloud server is still a challenging task. Moreover, the cloud storage system is a large-scale and open application, in which the user group is dynamic. To address this problem, we propose a practical group key management algorithm based on a proxy re-encryption mechanism in this paper. We use the cloud server to act as a proxy tore-encrypt the group key to allow authorized users to decrypt and get the group key by their private key. To achieve the hierarchical access control policy, our scheme enables the cloud server to convert the encrypted group key of the lower group to the upper group. The numerical analysis and experimental results further validate the high efficiency and security of the proposed scheme.

基于区块链的可搜索加密技术研究综述

在数据外包服务中,为了保护用户隐私和数据安全,数据通常采用密文形式存储于云服务器中。对数据进行加密虽然一定程度上保护了用户数据,但是却带来了用户难以搜索密文中关键字的问题。可搜索加密概念的提出为解决这一问题提供了有效的途径,用户可以直接在加密数据上执行搜索和计算等复杂操作。然而由于不可靠的云服务器等问题,现有的可搜索加密技术仍然存在不支持公平支付、缺乏通用的验证机制和隐私泄露等问题。因此,文中介绍了可搜索加密和区块链两种技术,并讨论了基于区块链的可搜索加密与传统可搜索加密相比的优势;分析和比较了过去两年基于区块链的可搜索加密方案的特点、安全性和效率,并提出了当前方案中的缺陷和未来可能的工作方向。

基于分层结构的匹配量隐藏加密多重映射方案

匹配量隐藏的加密多重映射(EMM)方案可以防止攻击者利用匹配量泄露推理搜索的明文,但是现有方案存在查询计算开销较大的问题。基于被检索数据的匹配量往往服从齐夫定律的特性,设计了一种分层结构的匹配量隐藏EMM方案。相对将全部键值匹配量填充至相等的朴素设计,所提方案将对整体数据的填充转为对多块子数据的填充,减少了存储开销,并实现了常数复杂度的查询开销。安全性分析表明,所提方案能够在查询结果无损的情况下实现匹配量隐藏。仿真结果表明,与当前最高效的方案XorMM相比,所提方案能够以增加10%的存储开销为代价,减小90%的查询计算开销,显著提高查询效率。

面向连接关键词可搜索加密的查询恢复攻击

为了恢复连接关键词可搜索加密方案中的用户查询,提出了2种针对连接查询可搜索加密方案的攻击方法,分别是交叉泄露攻击和频率匹配攻击。首先,从泄露中提取候选关键词集合;然后,分别利用关键词对结果模式泄露和查询频率信息进行过滤。结果表明,在交叉泄露攻击中,当攻击者仅掌握10%的数据集时,若关键词在空间为100,查询恢复的准确率可高达90%,将关键词空间扩大至1000,攻击者依然能够恢复50%以上的查询;在频率匹配攻击中,即使攻击者仅已知不准确的频率分布信息,也至少可以准确恢复70%的查询。

支持策略检索的属性基可搜索加密方案

为解决现有属性基可搜索加密方案仅支持单关键词检索或联合多关键词检索的问题,提升用户检索的灵活性,提出一种支持策略检索的属性基可搜索加密方案。使用LSSS(linear secret sharing schemes)技术构造用户检索陷门,支持任意单调布尔公式表示的搜索策略。结合属性加密实现对密文细粒度的访问控制。通过与现有方案进行计算和存储效率的对比分析,并进行实验仿真,结果表明,提出的方案在效率和安全性方面均有显著提升。

云存储与区块链相结合的电子数据共享模型研究

为解决公安局、检察院、法院及其他司法单位间电子数据共享中存在的低共享程度、安全性不足以及业务协同效率低下等问题,综合运用云存储、区块链、非对称加密、密文可搜索和代理重加密等技术,提出了一种云存储技术与联盟区块链技术相结合的电子数据共享模型。通过理论分析和模型构建,表明该模型能够在公检法等司法单位之间实现电子数据的高效、安全可靠和可溯源共享,从而提高了司法协同效率,而且为司法领域的数字化改革提供了理论基础和技术框架,对推动司法工作的数字化转型具有重要的理论和实践意义。