11-05-2011, 04:35 PM
Abstract
Cloud computing is an emerging computingparadigm in which resources of the computing infrastructureare provided as services over the Internet. As promising as it is,this paradigm also brings forth many new challenges for datasecurity and access control when users outsource sensitive datafor sharing on cloud servers, which are not within the sametrusted domain as data owners. To keep sensitive user dataconfidential against untrusted servers, existing solutions usuallyapply cryptographic methods by disclosing data decryption keysonly to authorized users. However, in doing so, these solutionsinevitably introduce a heavy computation overhead on the dataowner for key distribution and data management when finegraineddata access control is desired, and thus do not scalewell. The problem of simultaneously achieving fine-grainedness,scalability, and data confidentiality of access control actually stillremains unresolved. This paper addresses this challenging openissue by, on one hand, defining and enforcing access policies basedon data attributes, and, on the other hand, allowing the dataowner to delegate most of the computation tasks involved in finegraineddata access control to untrusted cloud servers withoutdisclosing the underlying data contents. We achieve this goal byexploiting and uniquely combining techniques of attribute-basedencryption (ABE), proxy re-encryption, and lazy re-encryption.Our proposed scheme also has salient properties of user accessprivilege confidentiality and user secret key accountability. Extensiveanalysis shows that our proposed scheme is highly efficientand provably secure under existing security models.
I. INTRODUCTION
Cloud computing is a promising computing paradigm whichrecently has drawn extensive attention from both academia andindustry. By combining a set of existing and new techniquesfrom research areas such as Service-Oriented Architectures(SOA) and virtualization, cloud computing is regarded as sucha computing paradigm in which resources in the computinginfrastructure are provided as services over the Internet. Alongwith this new paradigm, various business models are developed,which can be described by terminology of “X as aservice (XaaS)” [1] where X could be software, hardware,data storage, and etc. Successful examples are Amazon’s EC2and S3 [2], Google App Engine [3], and Microsoft Azure [4]which provide users with scalable resources in the pay-as-youusefashion at relatively low prices. For example, Amazon’s S3data storage service just charges $0.12 to $0.15 per gigabytemonth.As compared to building their own infrastructures,users are able to save their investments significantly by migratingbusinesses into the cloud. With the increasing developmentof cloud computing technologies, it is not hard to imagine thatin the near future more and more businesses will be movedinto the cloud.As promising as it is, cloud computing is also facing manychallenges that, if not well resolved, may impede its fastgrowth. Data security, as it exists in many other applications,is among these challenges that would raise great concernsfrom users when they store sensitive information on cloudservers. These concerns originate from the fact that cloudservers are usually operated by commercial providers whichare very likely to be outside of the trusted domain of the users.Data confidential against cloud servers is hence frequentlydesired when users outsource data for storage in the cloud. Insome practical application systems, data confidentiality is notonly a security/privacy issue, but also of juristic concerns. Forexample, in healthcare application scenarios use and disclosureof protected health information (PHI) should meet the requirementsof Health Insurance Portability and Accountability Act(HIPAA) [5], and keeping user data confidential against thestorage servers is not just an option, but a requirement.Furthermore, we observe that there are also cases in whichcloud users themselves are content providers. They publishdata on cloud servers for sharing and need fine-grained dataaccess control in terms of which user (data consumer) has theaccess privilege to which types of data. In the healthcare case,for example, a medical center would be the data owner whostores millions of healthcare records in the cloud. It wouldallow data consumers such as doctors, patients, researchersand etc, to access various types of healthcare records underpolicies admitted by HIPAA. To enforce these access policies,the data owners on one hand would like to take advantage ofthe abundant resources that the cloud provides for efficiencyand economy; on the other hand, they may want to keep thedata contents confidential against cloud servers.As a significant research area for system protection, dataaccess control has been evolving in the past thirty years andvarious techniques [6]–[9] have been developed to effectivelyimplement fine-grained access control, which allows flexibilityin specifying differential access rights of individual users. Traditionalaccess control architectures usually assume the dataowner and the servers storing the data are in the same trusteddomain, where the servers are fully entrusted as an omniscientreference monitor [10] responsible for defining and enforcingaccess control policies. This assumption however no longerholds in cloud computing since the data owner and cloudservers are very likely to be in two different domains.
Download full report
http://chennaisundayieee%202010/Achieving%20Secure,%20Scalable,%20and%20Fine-grained%20Data%20Access%20Control%20in%20Cloud%20Computing.pdf