Professional Documents
Culture Documents
From RBAC To ABAC Constructing Flexible Data Access Control For Cloud Storage Services
From RBAC To ABAC Constructing Flexible Data Access Control For Cloud Storage Services
Abstract—This paper addresses how to construct an RBAC-compatible secure cloud storage service with a user-friendly and
easy-to-manage attribute-based access control (ABAC) mechanism. Similar to role hierarchies in RBAC, attribute hierarchies
(considered as partial ordering relations) are introduced into attribute-based encryption (ABE) in order to define a seniority relation
among all values of an attribute, whereby a user holding senior attribute values acquires permissions of his/her juniors. Based on these
notations, we present a new ABE scheme called attribute-based encryption with attribute hierarchies (ABE-AH) to provide an efficient
approach to implement comparison operations between attribute values on a poset derived from an attribute lattice. By using bilinear
groups of a composite order, we present a practical construction of ABE-AH based on forward and backward derivation functions.
Compared with prior solutions, our scheme offers a compact policy representation approach that can significantly reduce the size of
private-keys and ciphertexts. To demonstrate how to use the presented solution, we illustrate how to provide richer expressive access
policies to facilitate flexible access control for data access services in clouds.
Index Terms—Security, secure cloud storage, role-based access control, attribute-based encryption, data migration
1 INTRODUCTION
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
ZHU ET AL.: FROM RBAC TO ABAC: CONSTRUCTING FLEXIBLE DATA ACCESS CONTROL FOR CLOUD STORAGE SERVICES 603
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
604 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO. 4, JULY/AUGUST 2015
User’s authority. in RBAC we use a simple binary Observing the above comparison, it is not difficult to find
relation between users and roles, and in most cases that ABAC model has stronger ability to express complex
only one role is assigned in current session; but a set access policies than RBAC model, moreover RBAC-based
of attribute assignments included in the attribute rule can be converted and integrated into ABAC-based policy.
TABLE 2
Comparison between RBAC and ABAC
RBAC ABAC
User’s authority UA: a binary relation between U R r: multiple attribute assignments
Hierarchical structure RH: one role hierarchy Hi : multiple attribute hierarchies
Resource’s constrain specification PA: a binary relation between P R p: an access policy function
Permission criterion Relation search between user and permission Match: policy matching between p and r
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
ZHU ET AL.: FROM RBAC TO ABAC: CONSTRUCTING FLEXIBLE DATA ACCESS CONTROL FOR CLOUD STORAGE SERVICES 605
Benefited from this kind of conversion, ABAC-based cloud (as an example of line ordering relation) based on CP-ABE
storage service will provide a more secure, flexible, scalable scheme, it is not efficient enough for general partial ordering
way to share data than existing RBAC-based IT systems. relations.
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
606 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO. 4, JULY/AUGUST 2015
to append into RBAC system. The proxy can perform the conversion method based on “one-to-many” mapping from
following functions: rule conversion between RBAC and role to attribute as follows:
ABAC, encryption/decryption processes, and key manage-
ment. The process of proxy is described as follows: The role set R is divided into n groups of set of
attributes, that is, R ¼ A1 A2 An . For each
When a “create” requestor asks to store a new data to Ai , we build a hierarchy ðAi ; Þ.
cloud, the proxy converts the role of roles corre- Map each permission p 2 P to a policy function p,
sponding to permission p1 ¼ “write”, p2 ¼ “create”, but Equation (1) also need to become
and p3 ¼ “read” into policy functions fp1 ; p2 ; p3 g !
according to Section 3.2; and then, the proxy obtains _ ^
p :¼ ðai Ai Þ :
the ABE keys escrowed by key management unit, 8r¼ða1 ;...;an Þ;ðp;rÞ2PA ai 2r
and uses the keys and fp1 ; p2 ; p3 g to encrypt the data
as ABE-ciphertext; finally, the ciphertext and its pol-
Similarly, Equation (2) becomes
icy fp1 ; p2 ; p3 g is sent to the cloud.
When a “write” requestor asks to write the existing r :¼ ðA1 ; . . . ; An Þ fða1 ; . . . ; an Þj
data to cloud, the proxy does not need to rewrite the
policy function fp1 ; p2 ; p3 g, but re-encrypts the mod- ¼ ða1 ; . . . ; an Þ 2 R : ðu; rÞ 2 UAg:
ificated parts into the cloud.
When a “read” requestor asks to read data stored in We define the partial ordering relation on the Cartesian
the cloud, the proxy first downloads the policy func- product of ordered sets as follows: ða1 ; . . . ; an Þ ða01 ; . . . ; a0n Þ
tion p3 corresponding to permission “read” and per- if and only if a1 a01 ^ ^ an a0n . This is a partial order.
forms the access authorization decision (see Section Next, we describe the process of accessing cloud resour-
3.2); if it permits, the proxy obtains the ABE keys ces. If the user wishes to access the data in the cloud, the
escrowed by key management unit, and then down- system first obtains the access policy of the resource, then
loads and decrypts the data. calculates rolesðsÞ to get the set of authorized roles, where
We will highlight the rule conversion from RBAC to rolesðsÞ fr 2 R j 9r0 2 R; r r0 : ðuserðsÞ; r0 Þ 2 UAg. Using
ABAC, as well as RBAC-compatible ABE system below. the set of authorized roles, the system can check whether
there is an effective subset of roles in rolesðsÞ which meets
3.2 Rule Conversion from RBAC to ABAC the above access policy, that is, Matchðp; rÞ ¼ true. If the
Recall the analysis in Section 2.3, it is easy to find that subset exists, the system downloads the data and decrypts
ABAC’s expression ability is stronger than that of RBAC. it locally.
This means that we might convert access constraints from We give a simple approach to implement “Access Autho-
RBAC model into ABAC model. Given a RBAC system that rization Decision”, which adopts the roles in RBAC to verify
is constructed on standard RBAC model in Definition 1. We the ABAC policy function p. In the case of simple “one-to-
present a simple conversion method based on “one-to-one” one” conversion, the verification can be checked by using
mapping from role to attribute as follows: _
true accept
Matchðp; ðA aÞÞ ¼
Map the set of roles R and its hierarchy RH to a a¼r;r2rolesðsÞ
false reject;
poset ðA; Þ ¼ ðR; RHÞ, where each roles ri 2 R W
becomes the attribute values ai 2 A and A ¼ R. This where p :¼ 9r00 ;ðp;r00 Þ2PA ðr00 RÞ. This means that there
mapping is direct and obvious. exists at least one r 2 rolesðsÞ and r00 2 R for r00 r to make
Map each permission p 2 P to a policy function p ðp; r00 Þ 2 PA if the above verificaiton is accepted. This is con-
with Boolean function sistent
S with the statement of permissions in RBAC, that
00
_ is, r2rolesðsÞ fp 2 P j 9r 2 R; r00 r : ðp; r00 Þ 2 PAg. Further-
p :¼ ðr AÞ: (1) more, in the case of “multi-attribute” composite, the above
9r;ðp;rÞ2PA equation turns into
_
Matchðp; ðA1 ; . . . ; An Þ ða1 ; . . . ; an ÞÞ
Map user’s assignments (for a certain u 2 U) to an 8r¼ða1 ;...;an Þ;
attribute assignment r as rrolesðsÞ
true accept
¼
r :¼ A fr 2 R j ðu; rÞ 2 UAg: (2) false reject:
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
ZHU ET AL.: FROM RBAC TO ABAC: CONSTRUCTING FLEXIBLE DATA ACCESS CONTROL FOR CLOUD STORAGE SERVICES 607
3.3 An Example of Our Solution ¼ [r2fEcD;SB;Ung fp 2 P j 9r00 2 R; r00 r : ðp; r00 Þ 2 PAg
We assume we have a simple RBAC-based University sys- ¼ fp 2 P j 9r00 2 R; r00 EcD : ðp; r00 Þ 2 PAg
tem, in which the set of roles R and role hierarchy RH are [ fp 2 P j 9r00 2 R; r00 SB : ðp; r00 Þ 2 PAg
showed in Fig. 4 (it is the same as the Department in Fig. 2). [ fp 2 P j 9r00 2 R; r00 Un : ðp; r00 Þ 2 PAg
We assume that there exist two users Vincent and Crown
¼ fRead 2 P j 9SB 2 R; SB EcD : ðRead; SBÞ 2 PAg
in this system, that is, U :¼ ðVincent; CrownÞ. Moreover, we
assume that Vincent works at EconomicsDepartment (EcD) [ fRead 2 P j 9SB 2 R; SB SB : ðRead; SBÞ 2 PAg
and Crown is a SchoolLeaderofBusiness, namely, ¼ fReadg:
UA :¼ ððVincent; EcDÞ; ðCrown; SLBÞÞ; (3) Hence, the proxy allows to download the encrypted file
Doc1 with an encryption policy pread :¼ ðSB AÞ for
where EcD and SLB are two acronyms for name of depart- Vincent. Vincent is able to decrypt this file by using his pri-
ment. According to Equation (1) in our convention method, vate key with attribute assignment rVincent ¼ A EcD
the system manager designates the attribute assignments because the policy matching between the ciphertext’s policy
function and the user’s attribute assignment,
rVincent :¼ A fr 2 R j ðVincent; rÞ 2 UAg ¼ A EcD;
rCrown :¼ A fr 2 R j ðCrown; rÞ 2 UAg ¼ A SLB Matchðpread ; rVincent Þ
¼ MatchðSB A; A EcDÞ ¼ true
into the ABE’s private key of Vincent and Crown,
respectively. is satisfied in terms of the relation SB EcD in RH.
Next, we assume that a document (called Doc1 ) in this The “write” (or “create”) operation also executes the sim-
system has the Read and Write permissions, P :¼ ðRead; ilar process as above besides the process of file encrypting
WriteÞ, and the permission-to-role assignment is and migrating to cloud is accomplished by the migration
proxy. In this process, the proxy only needs to verify the
PA :¼ ððRead; SBÞ; ðWrite; SLBÞÞ; (4) matching between the file’s policy and the user’s attribute
where SB and SLB denotes SchoolofBusiness and assignment. For example, the user Crown tries to write the
SchoolLeaderofBusiness. According to Equation (2) in our file Doc1 , the proxy invokes userðsÞ ! ðCrownÞ and rolesðsÞ
convention method, the migration proxy can generate two fr 2 R j r SLB : ðCrown; SLBÞ 2 UAg ¼ fSLB; EcD;
policy functions AcD; SB; Ung. S Based on these values, the permission
00 00
is com-
puted as r2fSLB;EcD;AcD;SB;Ung fp 2 P j 9r 2 R; r r : ðp;
_
pwrite :¼ ðr AÞ r00 Þ 2 PAg ¼ fRead; Writeg in terms of the policy PA in
9r;ðWrite;rÞ2PA Equation (4). Hence, Crown have the authority to write the
_ document Doc1 , and the proxy re-encrypts the modification
¼ ðSLB AÞ ¼ ðSLB AÞ
parts submitted by Crown into cloud by using the escrowed
9SLB;ðWrite;SLBÞ2PA
_ ABE encryption key.
pread :¼ ðr AÞ We have the ability to achieve multi-attribute conversion
9r;ðRead;rÞ2PA at the same process as above if the roles are “one-to-many”
_
¼ ðSB AÞ ¼ ðSB AÞ: mapped to several different set of attributes. This kind
9SB;ðRead;SBÞ2PA conversion is very intuitive and can help to simplify the
role hierarchy.
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
608 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO. 4, JULY/AUGUST 2015
It is obvious that our conversion methods are complete against chosen plaintext attacks with adaptive attribute lat-
and sound from the above examples, only if ABE can sup- tice (IND-AH-CPA), which can be transformed into the
port partial ordering relation over one or more attribute security against chosen ciphertext attacks (IND-CCA) by
sets, as well as the matching operation Matchðp; rÞ in applying a random oracle technique based on Fujisaki-Oka-
decryption. However, the existing schemes do not support moto transformation. In this kind of security, we consider
this relation. For this purpose, we will put forward such an that the adversary can query arbitrary partial ordering rela-
effective ABE construction in next section. tions (attribute hierarchies) to construct a key hierarchy.
Given an ABE-AH scheme ES, the IND-AH-CPA security is
4 RBAC-COMPATIBLE ABE evaluated by the following game:
In the previous section, the attribute hierarchy (partial Setup. The challenger B runs Setup algorithm, gives the
ordering relation on ðA; Þ) have been introduced to RBAC- adversary A the public parameters pp, and keeps the
Compatible ABE. This means that comparison operation master key msk and the encryption key ek secret;
on attribute hierarchies would be executed in the ABE. Query. The adversary A gives the challenger B an attribute
However, existing ABE schemes do not support comparison identity-poset pair ðAi ; Hi Þ, where Hi ¼ hVi ; i is an
operation on attribute hierarchies at present.1 In light of arbitrary partial ordering relation. The challenger B
the fact that the comparison operation can enhance the assist A to construct the cooperatively attribute lattice.
capacity of constraint expressions, decrease the computa- After all queries are realized, the adversary can require
tional overheads of encryption and decryption, and reduce the challenger B to generate a valid ciphertext for an
the size of ciphertexts and private-keys, in this section we arbitrary policy p and message M.
design an efficient cryptographic comparison operations for Challenge. The adversary A submits two equal length mes-
arbitrary partial orders to support the expressions of attri- sages M0 and M1 . In addition, the adversary gives a
bute lattices in ABE. challenge policy p in terms of A. The challenger B flips
a random coin b 2 f0; 1g, and encrypts Mb under a pol-
4.1 ABE with Attribute Hierarchies icy p. The correspondent ciphertext Cb is given to the
An attribute-based encryption with attribute lattice (ABE- adversary A.
AH) consists of the following five algorithms: Guess. The adversary outputs a guess b0 2 f0; 1g of b.
Setup(A; S). Takes in the parameters of cryptosystem S and In this game, the advantage of the adversary A attacking
the attribute universe description A. It outputs a master the ABE-AH scheme is defined as AdvES IND AL CPA
ðAÞ ¼
key msk, the public parameter pp and a encryption-key
1
jPr½b 0
¼ b Pr½b 0
¼
6 bj ¼ Pr½b0 ¼ b 1; where the proba-
2 2
ek; bility is taken over the random coins of A and all probabilis-
GenKey(msk; r). Takes in the manager key msk and a user’s tic algorithms in the scheme.
attribute assignments r for a certain user. It outputs a
Definition 4. A ciphertext-policy attribute-based encryption with
user’s private-key usk.
attribute lattice scheme is ðt; "Þ-adaptive attribute lattice
Encrypt (ek; p; M). Takes in the encryption key ek, the access
against chosen plaintext attacks (IND-AH-CPA), if for any
policy p over A, and the plaintext M 2 f0; 1g . It out-
polynomial time adversary with time-complexity t, there is at
puts a ciphertext C such that only users whose private
most a negligible advantage " in the above game.
keys satisfy the access policy p are able to exact M.
Decrypt (pp; usk; C). Takes in the public parameters pp, a
ciphertext C and a private key usk. If the set of attrib- 5 CRYPTOGRAPHIC PARTIAL ORDERING
utes of usk satisfies the access policy of the ciphertext, it RELATIONS
outputs the plaintext M. In this section, we propose a novel construction for integer
In this framework, the scheme must obey this rule as comparison to overcome the limitations of BSW’s CP-ABE
follows: Given the above-mentioned ðr; pÞ, we can compute scheme. We first give the background on compositing order
ðmsk; pp; ekÞ SetupðA; SÞ and gsk GenKeyðmsk; rÞ. bilinear groups. Then, we present two key constructions:
Such that, we hold forward and backward derivation functions. Finally,
2 3 we present the construction of our ABE scheme based on
Decryptðpp; usk; CÞ ¼ Mj those techniques.
Pr4 C Encryptðek; p; MÞ; 5 ¼ 1;
Matchðp; rÞ ¼ true
5.1 Our Approach
if and only if the access is granted over hp; ri according to From the discussions above, an efficient secure comparison
the policy matching criterion. mechanism is needed to express complex access policy and
realize attribute hierarchy. This motivates us to investigate
4.2 Security Definition of ABE-AH a new approach for partial ordering relation, which can be
To analyze the security of ABE-AH scheme, we first con- used to construct encryption schemes based on various
sider a new kind of security, called indistinguishability comparison relations. In the following, we present our idea
of a new approach for cryptographic comparison built on
the mathematical principles of comparison relation.
1. Note that this kind of hierarchy on posets is different from that on
the hierarchy IBE (HIBE) schemes because the latter only supports a In mathematics, the comparison relation on a partially
tree structure. ordered set (or poset) is a binary relation denoted by infix ,
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
ZHU ET AL.: FROM RBAC TO ABAC: CONSTRUCTING FLEXIBLE DATA ACCESS CONTROL FOR CLOUD STORAGE SERVICES 609
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
610 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO. 4, JULY/AUGUST 2015
Pre-image resistance. It is infeasible for any probabilis- HðAi jjaij Þr for all aij 2 Ai . And then, we define the random
tic polynomial time (PPT) algorithm to compute vj mapping function csk ð Þ as follows:
from vi if aj ai . Y
Second pre-image resistance. Given an input vi 2 V , it vij csk ðai;j Þ ¼ vrij ¼ wi0 wik
is infeasible for any PPT algorithm to find vj 2 V , aij 6aik
Y
ai jjaj and fpk;ai ak ðvi Þ ¼ fpk;aj ak ðvj Þ. ¼ HðAi Þ r
HðAi jjaij Þr 2 G;
aij 6ak
The above definition follows the definition of general
hash function, but from a viewpoint of practical use, we Q
where vij ¼ wi0 aij 6aik wik . Note that, everyone can com-
did not require collision resistance, that is, it is infeasible pute HðAi Þ and HðAi jjaij Þ, but vi;j cannot be computed if
for any PPT algorithm to find two elements vi and vj 2 V the secret r is unknown. So we build the public parameter
and fpk;ai ak ðvi Þ ¼ fpk;ai ak ðvj Þ. In addition, the transitivity (or the part of ciphertext) as
property can be satisfied because fpk;ai ak ðvi Þ ¼ fpk;aj ak
ðfpk;ai aj ðvi ÞÞ. pk ¼ ðG; Hð Þ; fwik g8aik ;aij aik Þ:
We show a simple example to explain HHF in Fig. 7.
This example assume that we have a poset H ¼ ðA; Þ,
where A ¼ fa1 ; a2 ; . . . ; a7 g. Given v7 , the HHF ensures Finally, we define the HHF fpk ð Þ as
that the value of v3 ; v4 ; v1 can be obtained by using Y
fpk; ðv7 Þ. Inversely, given v3 , it is hard to guess v6 and v7 vik fpk;aij aik ðvij Þ ¼ vij wil
ail 2Gðaik ;aij Þ
according to pre-image resistance property. As the same 0 1
reason, v4 cannot be guessed because v4 jjv3 . More impor- Y Y
tantly, in the hierarchy it is easy to find the collision of ¼ @wi0 wil A wil
HHF. For example, v1 ¼ fpk;v3 v1 ðv3 Þ ¼ fpk;v4 v1 ðv4 Þ, how- aij 6ail [aik 6ail fail gn[aij 6ail fail g
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
ZHU ET AL.: FROM RBAC TO ABAC: CONSTRUCTING FLEXIBLE DATA ACCESS CONTROL FOR CLOUD STORAGE SERVICES 611
fail g, and aik 62 [aik 6ail fail g. This means that vik can be system S is a tuple S ¼ hp; G1 ; G2 ; GT ; ei composed of the
obtained unless vij =wik is computed. So, vik cannot not be objects as described above. S may also include group gener-
computed because wik is not in pk. For example, it is ators in its description. In addition, there is a hash function
hard to compute v6 ¼ v3 =w6 from v3 and w1 ; w3 because H : f0; 1g ! G.
w6 is unknown for a6 a3 . Also, v4 ¼ v3 =w4 cannot be Our ABE-AH scheme is described in Fig. 8. Our scheme
computed from v3 and w1 ; w3 because w4 is unknown is constructed on BSW’s CP-ABE scheme, which makes use
for a4 jja3 . This ensures pre-image resistance and second of the hierarchy secret sharing scheme (HSSS) to realize
pre-image resistance. AND and OR operations for a access policy which be repre-
sented by Boolean function. In the description of our
6 CONSTRUCTION OF ABE-AH scheme, we omit these details. Our ABE-AH scheme has an
In this section we propose a novel construction with attri- optimum performance of storage and computation. For
bute hierarchies based on BSW’s CP-ABE scheme. This example, the length of the user’s private key usk is directly
construction enjoys the lower computation and communica- proportional to the number of attributes in AðiÞ , that is,
tion/storage costs. Moreover, we can generate a private key Oð#AðiÞ Þ, where # denotes the number of elements in a set.
with range controls, and then can implement comparisons Similarly, the length of ciphertexts is directly proportional
between two range controls from ciphertext and private to the number of literals in an access tree T corresponding
key, respectively. to p, that is, Oð#T Þ. More importantly, the length of cipher-
We set up our systems using bilinear pairings proposed texts is unrelated to the size of candidate attribute values
by Boneh and Franklin [22]. Let G1 , G2 and GT be three for a certain policy, by which we usually measure the length
cyclic groups of large prime order p using pairing-friendly of a ciphertext in the trivial equal matching way. Therefore,
curves, and e be a computable bilinear map e : G1 the shorter ciphertext commonly means the lower over-
G2 ! GT 3 with the following properties. For any G 2 G1 , heads of computation, so that the ABE-AH scheme also
H 2 G2 and all a; b 2 Zp , we have involves low computational overhead in the process of
1) Bilinearity. eðGa ; H b Þ ¼ eðG; HÞab . encryption and decryption.
2) Non-degeneracy. eðG; HÞ 6¼ 1 unless G or H ¼ 1. Next, we prove that if the decryptor’s attribute values
3) Computability. eðG; HÞ is efficiently computable. satisfy the policy p, and the decryptor can obtain the correct
Where, ½aP denotes the multiplication of a point P in message M from a ciphertext C using our ABE-AH scheme.
elliptic curve by a scalar a 2 Zp . A bilinear map group The analysis process is listed as follows:
First, if a decryptor’s attribute value aij satisfies the literal
aik Aj in the ciphertext (that is aik aij ), the decryptor
3. We require that no efficient isomorphism G2 ! G1 or G1 ! G2 is s
known, or G2 ! G1 is unknown but its inverted G1 ! G2 is known. computes fE00 ;aik aij ðviki Þ since the value vsiji ¼ fE00 ;aik aij ðvsiki Þ ¼
i i
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
612 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO. 4, JULY/AUGUST 2015
Q Q
vsiki ail 2Gðaij ;aik Þ wsili ¼ wsi0i aij 6ail wsili 2 G can be efficiently a; b 2 Zp , it is computationally intractable to compute the
computed from ¼ Ei00
s
fwili gaik ail
and ail 2 Gðaij ; aik Þ value gab 2 G. More exactly, we define a game to measure
f8ail ; aik ail g if the condition aik aij holds. the difficulty of computing csk ðaj Þ from csk ðai Þ for aj ai .
s s That is, for any t-time PPT algorithm A and a negligible ", if
Second, given the correct value viji ¼ fE00 ;aik aij ðviki Þ, we
i
can computes the value Sj in terms of Equation (5) as follows: 2 3
8H; H 2 pk; vi csk ðai Þ;
eðDi ; Ei Þ eðgt viji ; hsi Þ
r
Pr4 ðaj ; vj Þ Ahð Þ ðpk; vi Þ; : aj ai 5 ":
Si ¼ 0 ¼ s 9aj 2R V; aj ¼ aj ^ cpk ðaj Þ ¼ vj
e Di ; fE00 ;aik aij ðEi0 Þ e hri ; fE00 ;aik aij viki
i i
Q 1= k 1= k
al 2W2 HðAjjal Þ. Due to the reason that all vi must be chosen ðw0ij Þ al 2Gðai ;aj Þ l
¼ ððga Þr =vj Þ al 2Gðai ;aj Þ l
. This contra-
at random, this scheme do not permit the collision among dicts to the CDH assumption, thus the theorem holds. u
t
the vi (or vi 6¼ vj ) for i 6¼ j. The following theorem tells us
Finally, we prove that our HHF is secure with second
that this collision probability is negligible only if the secu-
pre-image resistance under the CDH assumption. we also
rity parameter k is large enough. Moreover, the fast sort
define a game to measure the difficulty of computing
algorithm can help us to find the collision.
csk ðaj Þ from csk ðai Þ for aj jjai and fpk;ai ak ðvi Þ ¼ fpk;aj ak ðvj Þ.
Theorem 1. The collision probability of getting any sum among That is, for any t-time PPT algorithm A and a negligible ", if
m random integers, which are chosen in Zp from a uniform dis-
2 2 3
tribution, is less than ðmþ1Þ
4p , where p is a large prime number.
8H; H 2 pk; vi csk ðai Þ;
6 Þ 7
ðaj ; vj Þ A ðpk; vi Þ;
hð
Since the total number of roles is far less than the size of Pr6 7
4 9aj ; ak 2R V; aj ¼ aj ^ cpk ðaj Þ ¼ vj ; : aj jjai 5 ":
space of keys, this theorem means that the collision proba-
fpk;ai ak ðvi Þ ¼ fpk;aj ak ðvj Þ
bility is neglectable for a large number of attributes m, e.g.,
given m ¼ 1; 000 and m p 2160 , the collision probability
20 We call that this problem is hard to resist the second pre-
is less than 22162 ¼ 2 142 . This means that the security of HHF
image attack of HHF. Hence, we have the following
is not related to the combination of the attributes.
theorem.
Next, we prove that our HHF is secure with pre-image
resistance under the Computational Diffie-Hellman (CDH) Theorem 3. Assuming that the CDH assumption holds, any
assumption: consider a cyclic group G of order p and a ran- probabilistic polynomial-time PPT algorithm is hard to break
domly chosen generator g, given ðga ; gb Þ for two random the second pre-image resistance property.
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
ZHU ET AL.: FROM RBAC TO ABAC: CONSTRUCTING FLEXIBLE DATA ACCESS CONTROL FOR CLOUD STORAGE SERVICES 613
Proof. Assume that there exists a PPT adversary A to com- T ¼ eðG; HÞ&t . This means that if DDH problem is hard in
pute vj from ðpk; vi Þ for ai jjaj and fpk;ai ak ðvi Þ ¼ fpk;aj ak ðvj Þ GT then eDDH problem is also hard in G and GT even if the
with a non-negligible probability. By using A, we build bilinear pairing exists here.
an algorithm B0 to solve the CDH problem as follows: More precisely, we have the following theorem accord-
ing to the intractability of distinguishing the two distribu-
1) given ai ; ak 2 H, let sk ¼ a, B0 sets vi ¼ ðga Þr and tions involved in the General Decision Diffie-Hellman
fwl ¼ ðga Þrk g8ak ;ai al , where r and rk are some ran- Exponent (GDDHE) problem [23]:
dom integers, and vk ¼ fpk;ai ak ðvi Þ.
Theorem 4 (Lower Bound of eDDH, [23]). Given an eDDH
2) for a hash query HðAÞ and HðAjjal Þ in al 6¼ aj , the
problem on S ¼ ðp; G; GT ; eð ; ÞÞ, for any PPT algorithm A
random Oracle returns HðAÞ ¼ ðgbP Þk0 and HðAjj that makes a total of at most q queries to the oracle computing
P kl
al Þ ¼ ðgb Þkl , but HðAjjaj Þ ¼ gr =ðgb Þ ai 6al ;al 6¼aj
,
k0 þ the group operations in G; GT and the bilinear pairing
2
where kl is a random integer in Zp . e : G G ! GT , we have AdveDDH ðAÞ 2ðqþ10Þ
p .
3) we revoke Aðpk; vi ; fwk g8ak ;ai ak Þ. If A returns We prove the semantic security of our scheme under the
vj for ai jjaj and aj ak , B outputs gab ¼ assumption of extended DDH problem. Since this kind of
P
1=ðk0 þ kÞ security is concerned with the plaintext, which be confi-
ðvj Þ aj 6al Þ l
. dentiality-protected rather than the validity of constraints
According to the definition of vi and ai jjaj , we have as described above, we need only to consider the adaptive
0 0 11a attribute lattice against chosen plaintext attacks. Hence, we
Y prove the Theorem 5, in which the advantage of adversary
vi ¼ @HðAÞ @ HðAjjal ÞAA is at most 4ðqþ10Þ
2
according to Theorem 4 and "0 > 2".
p
ai 6al
0 1a Theorem 5 (Semantic Security). Assume that extended Deci-
P
b k0 þ gr sion Diffie-Hellman problem on S ¼ ðp; G; GT ; eð ; ÞÞ with
¼ @ðg Þ A
k
ai 6al ;al 6¼aj l P
k0 þ k order p is ðt0 ; "0 Þ-hard, the ABE-AH construction is
ðgb Þ ai 6al ;al 6¼aj l
ðt; "Þ-adaptive attribute lattice against chosen plaintext attacks
¼ gar ; P (IND-AL-CPA), such that for any PPT algorithm A ¼ ðA1 ;
P
k0 þ
kl
A2 Þ, the success probability of A satisfies
where HðAjjaj Þ ¼ g =ðg Þ r b ai 6al ;al 6¼aj
. Also, in terms
of the definition of vj and sk ¼ a, we have vj ¼ ðH 2 3
P 8ðpk; mskÞ SetupðkÞ;
Q b k0 þ ai 6al kl a 6 A1 i ðpkÞ; 7
a OðH Þ
ðAÞ ð aj 6al HðAjjal ÞÞÞ ¼ ððg Þ Þ . This means ðM0 ; M1 Þ
P Pr6 0
4b ¼ b :
7
5 ";
k þ k b R f0; 1g;
that vj ¼ ðgab Þ 0 ai 6al l . Therefore, if A returns v , we 0
A2 ðEncryptðpk; p; Mb ÞÞ
P j b
1=ðk0 þ kÞ
have g ¼ ðvj Þ
ab aj 6al Þ l
. This contradicts to compu-
where "0 > 2", t0 t þ qA tA þ qh th , and tA ; th denotes the time
tational CDH assumption, thus the theorem holds. u
t of attribute query and hash query.
In summary, two above-mentioned cases means that it is
hard to compute the values of all elements fvj g8aj ;ai 6aj for a
given vi because we have the partial ordering ai 6
8 PERFORMANCE EVALUATION
aj ¼ ðaj ri Þ _ ðai jjaj Þ. Therefore, our construction of HHF 8.1 Performance Analysis of ABE Cryptosystem
is a secure hierarchial hash functions. Our ABE scheme is constructed on bilinear map system
from from elliptic curve pairings. For simplification, we
7.2 Security Analysis of ABE-AH Scheme give several notations to denote the time for various opera-
The analysis of HHF has showed the security of partial tions in our ABE scheme. EðGÞ and EðGT Þ are used to
ordering relation in our ABE scheme. Now, we focus on the denote the exponentiation in G and GT , respectively. B is
security of ciphertexts in this scheme. Since semantic secu- used to denote the paring e : G G ! GT . We neglect the
rity is a widely used definition for security in an asymmetric operations in Zp , the hash function H : f0; 1g ! G and the
key encryption algorithm, we will also prove the semantic multiplication in G and GT , since they are much more effi-
security of our scheme. The semantic security of our ABE cient than exponentiation and paring operation. We analyse
scheme enjoys the same security as the extension of BSW’s the computation and communication complexity for each
CP-ABE scheme [17] because our scheme is built on their phase, where jT j denotes the number of the leaf nodes in
scheme in addition to our partial ordering relation on HHF. the tree, jAj denotes the set of attributes of encryptor and
Our scheme is secure under extended Decision Diffie- decryptor, and lZp ; lG ; lGT denote the length of elements in
Hellman problem assumption, which is defined as follows: Zp ; G; GT , respectively. The security of comparison opera-
Suppose S ¼ ðp; G; GT ; eð ; ÞÞ be a cryptosystem on bilinear tions is based on two mathematical assumptions: the hard-
pairing. Given ðG; Gt Þ; ðH; H t Þ; ðeðG; HÞ& ; T Þ for two ran- ness of CDH and eDDH problem, so we define k ¼ 80 bit
dom t; & 2 Zn , it is hard to decide whether or not and p ¼ 160 bit to build a sufficiently secure system.
T ¼ eðG; HÞ&t , where g; h are two generators in G and G; GT In Tables 4 and 5, we analyse the performance of our
with order p. It is easy to see that an eDDH problem can be ABE scheme from two aspects: computation and communi-
transferred into a DDH problem in GT , that is, given cation/storage costs. In Setup, the computation and storage
ðeðG; HÞ; eðG; HÞt ; eðG; HÞ& ; T Þ in GT to decide whether costs are constant. In KeyGen, it is easy find that the
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
614 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO. 4, JULY/AUGUST 2015
TABLE 4 TABLE 6
Complexity Analysis of Our ABE Scheme The Results of Conversion from RBAC to ABAC
TABLE 5
Communication/Storage Analysis of Our ABE Scheme
Communication/Storage Complexity
Public parameter (pp) 1 lZp
Encryption key (ek) 3 lG þ 1 lGT
Master key (msk) 1 lG þ 1 lZp
Private key (usk) ð1 þ 2jAjÞ lG
Ciphertext (C) ð1 þ 3jT jÞ lG þ 1 lGT
Plaintext (M) 1 lGT Fig. 9. Computational costs of our scheme under the different sizes of
attribute hierarchy (from 5 to 55).
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
ZHU ET AL.: FROM RBAC TO ABAC: CONSTRUCTING FLEXIBLE DATA ACCESS CONTROL FOR CLOUD STORAGE SERVICES 615
TABLE 7 REFERENCES
Computational Consts of Our Scheme for Different Hierarchies
[1] F. R. Institute. (2010). Personal data in the cloud: A global survey
of consumer attitudes [Online]. Available: http://www.fujitsu.
Heirarchy size Setup GenKey Encrypt Decrypt com/downloads/SOL/fai/reports/fujitsu/personal-data-in-the-
5 3.38521 5.97481 7.56601 12.99482 cloud.pdf
10 3.38521 5.97481 7.56601 12.99482 [2] K. Ren, C. Wang, and Q. Wang, “Security challenges for the public
15 3.38521 5.97481 7.56601 12.99482 cloud,” IEEE Internet Comput., vol. 16, no. 1, pp. 69–73, Jan./Feb.
20 3.44761 5.97481 7.56601 12.99482 2012.
[3] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-
25 3.43201 5.89681 7.59721 13.02602 based encryption for fine-grained access control of encrypted
30 3.38521 5.91241 7.62841 13.05722 data,” in Proc. 13th ACM Conf. Comput. Commun. Security,
35 3.40081 5.89681 7.64401 13.07282 2006, pp. 89–98.
40 3.40081 6.00601 7.76881 13.16642 [4] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryp-
45 3.43201 6.06841 7.90921 13.21322 tion with non-monotonic access structures,” in Proc. 14th ACM
50 3.44761 6.08401 7.92481 13.33802 Conf. Comput. Commun. Security, 2007, pp. 195–203.
55 3.47881 6.38041 8.42402 13.55642 [5] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable,
and fine-grained data access control in cloud computing,” in Proc.
IEEE Conf. Comput. Commun., 2010, pp. 534–542.
[6] R. Bobba, O. Fatemieh, F. Khan, A. Khan, C. A. Gunter, H. Khur-
9 RELATED WORK ana, and M. Prabhakaran, “Attribute-based messaging: Access
While the concept of ABAC has been around (introduced as control and confidentiality,” ACM Trans. Inf. Syst. Secur., vol. 13,
no. 4, p. 31, 2010.
early as 1996 in ISO 10181-3 and X.509 ACs), it has gained [7] V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller,
prominence in research literature with its use in trust nego- and K. Scarfone, “Guide to attribute based access control (ABAC)
tiation and credential-based access control in a distributed definition and considerations,” NIST Special Publ., vol. 800, p. 162,
system with multiple administrative domains [6], [15]. 2014.
[8] M. J. Atallah, K. B. Frikken, and M. Blanton, “Dynamic and effi-
Goyal et al. [3] first defined the two complimentary forms of cient key management for access hierarchies,” in Proc. 12th ACM
ABE, namely, key-policy ABE and Ciphertext-Policy ABE Conf. Comput. Commun. Security, Alexandria, VA, USA, 2005,
(CP-ABE), and provided a construction for KP-ABE. Then, pp. 190–202.
[9] S. D. C. di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and
Bethencourt et al. [17] gave the first construction for a CP- P. Samarati, “Over-encryption: Management of access control evo-
ABE scheme (short for BSW) in the generic group model. lution on outsourced data,” in Proc. 33rd Int. Conf. Very Large Data
These schemes supported monotonic Boolean encryption Bases, 2007, pp. 123–134.
policies. Many ABE schemes with varying properties have [10] R. Bobba, H. Khurana, and M. Prabhakaran, “Attribute-sets: A
practically motivated enhancement to attribute-based
been proposed since then, for example, schemes that sup- encryption,” in Proc. 15th Eur. Symp. Res. Comput. Security, 2009,
ported non-monotonic boolean encryption policies (e.g., pp. 587–604.
[4]), schemes that supported multiple attribute authorities [11] G. Wang, Q. Liu, and J. Wu, “Hierarchical attribute-based encryp-
(e.g., [24]), and so on. Recently, Lewko and Waters [25] pro- tion for fine-grained access control in cloud storage services,”
in Proc. ACM Conf. Comput. Commun. Secur., 2010, pp. 735–737.
posed a multi-authority ABE system, in which any party [12] J. Li, Q. Wang, C. Wang, and K. Ren, “Enhancing attribute-based
can become an authority and there is no requirement for encryption with attribute hierarchy,” in Proc. ACM Mobile Netw.
any global manager. Also, Waters [26] presented a new Appl., vol. 16, no. 5, pp. 553–561, 2011.
[13] Y. Zhu, G.-J. Ahn, H. Hu, D. Ma, and S. Wang, “Role-based cryp-
methodology for realizing CP-ABE under concrete and non- tosystem: A new cryptographic RBAC system based on role-key
interactive cryptographic assumptions in the standard hierarchy,” IEEE Trans. Inf. Forensics Secur., vol. 8, no. 12,
model. Lewko et al. [27] presented a fully secure ABE pp. 2138–2153, Dec. 2013.
scheme and attribute-hiding predicate encryption (PE) [14] R. Sandhu, E. Coyne, H. Fenstein, and C. Youman, “Role-based
access control models,” IEEE Comput., vol. 29, no. 2, pp. 38–47,
scheme for inner-product predicates by using dual system Feb. 1996.
encryption methodology. [15] R. Bobba, O. Fatemieh, F. Khan, C. A. Gunter, and H. Khurana,
“Using attribute-based access control to enable attribute-based
messaging,” in Proc. 22nd Annu. Comput. Security Appl. Conf., 2006,
10 CONCLUSION pp. 403–413.
[16] A. Sahai and B. Waters, “Fuzzy identity-based encryption,”
In this paper, we addressed the effective method to simplify in Proc. EUROCRYPT, 2005, pp. 457–473.
the policy-specified burden of cloud users in the process of [17] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attri-
bute-based encryption,” in Proc. IEEE Symp. Secur. Privacy, 2007,
using ABE. Our method is to improve ABE to support RBAC pp. 321–334.
model, the existing RBAC users, without alterations, can [18] V. Goyal, A. Jain, O. Pandey, and A. Sahai, “Bounded ciphertext
access their ABE-encrypted data in the cloud. Compared with policy attribute based encryption,” in Proc. Int. Colloq. Automata,
Lang. Program., 2008, pp. 579–591.
trivial equal and bit matching in prior solutions, our scheme [19] Y. Zhu, G.-J. Ahn, H. Hu, S. Yau, H. An, and C.-J. Hu, “Dynamic
enhances the expressive capacity of access policies, decreases audit services for outsourced storages in clouds,” IEEE Trans.
the computational overheads, and reduces the size of cipher- Serv. Comput., vol. 6, no. 2, pp. 227–238, Apr.-Jun. 2013.
texts and private-keys for attribute-based encryption. [20] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu, “Order preserving
encryption for numeric data,” in Proc. ACM SIGMOD Int. Conf.
Manage. Data, 2004, pp. 563–574.
ACKNOWLEDGMENTS [21] A. Boldyreva, N. Chenette, and A. O’Neill, “Order-preserving
encryption revisited: Improved security analysis and alternative
The authors are indebted to anonymous reviewers for their solutions,” in Proc. Annu. Int. Cryptol. Conf. Adv. Cryptol., 2011,
valuable suggestions. This work was supported by the pp. 578–595.
National 973 Program (Grant No. 2013CB329605) and the [22] D. Boneh and M. Franklin, “Identity-based encryption from the
weil pairing,” in Proc. 21st Annu. Int. Cryptol. Conf. Adv. Cryptol.,
National Natural Science Foundation of China (Grant Nos. 2001, pp. 213–229.
61170264 and 61472032).
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res
616 IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 8, NO. 4, JULY/AUGUST 2015
[23] D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical identity based ChangJyun Hu received the PhD degree from
encryption with constant size ciphertext,” in Proc. 24th Annu. Int. Peking University, Beijing, China, in 2001. He is
Conf. Theory Appl. Cryptographic Tech., 2005, pp. 440–456. currently a professor at the School of Computer
[24] M. Chase and S. S. M. Chow, “Improving privacy and security in and Communication Engineering, University of
multi-authority attribute-based encryption,” in Proc. ACM Conf. Science and Technology, Beijing, China. His
Comput. Commun. Secur., 2009, pp. 121–130. main research interests include parallel comput-
[25] A. B. Lewko and B. Waters, “Decentralizing attribute-based ing, parallel compilation technology, parallel soft-
encryption,” in Proc. Annu. Int. Conf. Theory Appl. Cryptographic ware engineering, network storage system, data
Tech., 2011, pp. 568–588. engineering, and software engineering.
[26] B. Waters, “Ciphertext-policy attribute-based encryption: An
expressive, efficient, and provably secure realization,” in Public
Key Cryptography, New York, NY, USA: Springer, 2011, pp. 53–70.
[27] A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, Xin Wang received the BS degree from the
“Fully secure functional encryption: Attribute-based encryption Hubei University of Technology, China, in 2012.
and (hierarchical) inner product encryption,” in Proc. Annu. Int. She is working toward master’s degree at the
Conf. Theory Appl. Cryptographic Tech., 2010, pp. 62–91. School of Computer and Communication Engi-
neering, University of Science and Technology
Yan Zhu received the PhD degree in computer Beijing, China from 2013. Her research interests
science from Harbin Engineering University, include cryptography, cloud computing, and net-
China, in 2005. He is currently a professor at the work security.
University of Science and Technology, Beijing,
China. He was an associate professor at Peking
University, China, from 2007 to 2012. He was a
visiting associate professor at the Arizona State
University, from 2008 to 2009, and a visiting
research investigator of the University of Michi-
gan-Dearborn in 2012. His research interests
include cryptography, secure computation, and
network security. He is a member of the IEEE.
nsed use limited to: MINISTERE DE L'ENSEIGNEMENT SUPERIEUR ET DE LA RECHERCHE SCIENTIFIQUE. Downloaded on May 12,2022 at 09:15:28 UTC from IEEE Xplore. Res