04-05-2011, 12:29 PM
Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing
Abstract
Cloud computing is an emerging computing
paradigm in which resources of the computing infrastructure
are provided as services over the Internet. As promising as it is,
this paradigm also brings forth many new challenges for data
security and access control when users outsource sensitive data
for sharing on cloud servers, which are not within the same
trusted domain as data owners. To keep sensitive user data
confidential against untrusted servers, existing solutions usually
apply cryptographic methods by disclosing data decryption keys
only to authorized users. However, in doing so, these solutions
inevitably introduce a heavy computation overhead on the data
owner for key distribution and data management when finegrained
data access control is desired, and thus do not scale
well. The problem of simultaneously achieving fine-grainedness,
scalability, and data confidentiality of access control actually still
remains unresolved. This paper addresses this challenging open
issue by, on one hand, defining and enforcing access policies based
on data attributes, and, on the other hand, allowing the data
owner to delegate most of the computation tasks involved in finegrained
data access control to untrusted cloud servers without
disclosing the underlying data contents. We achieve this goal by
exploiting and uniquely combining techniques of attribute-based
encryption (ABE), proxy re-encryption, and lazy re-encryption.
Our proposed scheme also has salient properties of user access
privilege confidentiality and user secret key accountability. Extensive
analysis shows that our proposed scheme is highly efficient
and provably secure under existing security models.
I. INTRODUCTION
Cloud computing is a promising computing paradigm which
recently has drawn extensive attention from both academia and
industry. By combining a set of existing and new techniques
from research areas such as Service-Oriented Architectures
(SOA) and virtualization, cloud computing is regarded as such
a computing paradigm in which resources in the computing
infrastructure are provided as services over the Internet. Along
with this new paradigm, various business models are developed,
which can be described by terminology of “X as a
service (XaaS)” [1] where X could be software, hardware,
data storage, and etc. Successful examples are Amazon’s EC2
and S3 [2], Google App Engine [3], and Microsoft Azure [4]
which provide users with scalable resources in the pay-as-youuse
fashion at relatively low prices. For example, Amazon’s S3
data storage service just charges $0.12 to $0.15 per gigabytemonth.
As compared to building their own infrastructures,
users are able to save their investments significantly by migrating
businesses into the cloud. With the increasing development
of cloud computing technologies, it is not hard to imagine that
in the near future more and more businesses will be moved
into the cloud.
As promising as it is, cloud computing is also facing many
challenges that, if not well resolved, may impede its fast
growth. Data security, as it exists in many other applications,
is among these challenges that would raise great concerns
from users when they store sensitive information on cloud
servers. These concerns originate from the fact that cloud
servers are usually operated by commercial providers which
are very likely to be outside of the trusted domain of the users.
Data confidential against cloud servers is hence frequently
desired when users outsource data for storage in the cloud. In
some practical application systems, data confidentiality is not
only a security/privacy issue, but also of juristic concerns. For
example, in healthcare application scenarios use and disclosure
of protected health information (PHI) should meet the requirements
of Health Insurance Portability and Accountability Act
(HIPAA) [5], and keeping user data confidential against the
storage servers is not just an option, but a requirement.
Furthermore, we observe that there are also cases in which
cloud users themselves are content providers. They publish
data on cloud servers for sharing and need fine-grained data
access control in terms of which user (data consumer) has the
access privilege to which types of data. In the healthcare case,
for example, a medical center would be the data owner who
stores millions of healthcare records in the cloud. It would
allow data consumers such as doctors, patients, researchers
and etc, to access various types of healthcare records under
policies admitted by HIPAA. To enforce these access policies,
the data owners on one hand would like to take advantage of
the abundant resources that the cloud provides for efficiency
and economy; on the other hand, they may want to keep the
data contents confidential against cloud servers.
As a significant research area for system protection, data
access control has been evolving in the past thirty years and
various techniques [6]–[9] have been developed to effectively
implement fine-grained access control, which allows flexibility
in specifying differential access rights of individual users. Traditional
access control architectures usually assume the data
owner and the servers storing the data are in the same trusted
domain, where the servers are fully entrusted as an omniscient
reference monitor [10] responsible for defining and enforcing
access control policies. This assumption however no longer
holds in cloud computing since the data owner and cloud
servers are very likely to be in two different domains. On one
hand, cloud servers are not entitled to access the outsourced
data content for data confidentiality
Download full report
http://chennaisundayieee%202010/Achieving%20Secure,%20Scalable,%20and%20Fine-grained%20Data%20Access%20Control%20in%20Cloud%20Computing.pdf
