Permission Management System For Secure Clouds

You might also like

Download as pdf or txt
Download as pdf or txt
You are on page 1of 3


Permission Management System for Secure Clouds

1,2,3,4,5 1

International Journal of Systems , Algorithms & Applications

Ashwini U S, 2Kiran R, 3Iranna N K, 4Kirana K B, 5T. S. Bharath(M. Tech) Computer science and Engineering,Sri Siddhartha Institute of Technology, VTU, Tumkur, India email: ashwinius@ymail.com1, iranna90@gmail.com2, Kinni999@gmail.com3, k.kirana2@gmail.com4,

Abstract Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. In this paper, we discuss a novel approach to controlling access to user data in the cloud, Permission Management System (PMS). User data are encrypted to maintain confidentiality and permissions are managed via decryption keys using techniques of attribute-based encryption (ABE). Keywords: PMS, ABE

The rest of this paper is organized as follows. Section 2 discusses about related works. In Section 3, we present our approach, followed by the discussion on the design and implementation in Section 4 and section 5 concludes this paper. II. BACKGROUND AND RELATED WORK A. Attribute Based Encryption There has been growing interest in attribute based encryption (ABE) since first proposed by Sahai et al. [2] ABE is based on and extended from identity based encryption (IBE) [3], which is similar to traditional public-key based cryptography systems, but instead of using a randomly generated public key, entities use unique strings or other short identifiers, such as email addresses, as their public key. For instance, to send an encrypted email to, Alice would encrypt the message using the email address as the public key. Bob would obtain his corresponding private key from a Private Key Generator to decrypt the message. Therefore, IBE helps negate the use of public key certificate in PKC-based applications. ABE is a further extension from this. In ABE, a set of user attributes, not just user identity, are associated with both cipher text and decryption key so that the user that can provide a correct subset of attributes depending on access policy can decrypt the cipher text using the decryption key. For instance, to encrypt a confidential data stored in the intranet and allow it to be decrypted only by Account Payable or HR managers in, Alice would encrypt the data along with her access control policy expressed as (Account Payable manager:company.com_HR Bob, who is an HR manager in, would obtain his corresponding private key from Alice to decrypt the data. Hence, ABE enables a very flexible and scalable access control system. There have been two types of ABE proposed: keybased ABE (KP-ABE) and cipher text-policy ABE (CP -ABE). In KP-ABE, access policy is associated with private key, whereas in CP-ABE, the access policy is specified in the cipher text [2][3]. Our approach uses the latter. III. OUR APPROACH In this section, we discuss our approach to enabling a user centric and flexible access control system in cloud

I. INTRODUCTION In past three decades, the world of computation has changed from centralized (client-server not web-based) to distributed systems and now we are getting back to the virtual centralization (Cloud Computing). Location of data and processes makes the difference in the realm of computation. On one hand, an individual has full control on data and processes in his/her computer. On the other hand, we have the cloud computing wherein, the service and data maintenance is provided by some vendor which leaves the client/customer unaware of where the processes are running or where the data is stored. So, logically speaking, the client has no control over it. One of the challenging problems cloud computing [1] is facing in this context is the security of data in the cloud in general, access control to the data in the cloud in specific. Since the physical location of user data in the cloud is unknown and often the data are distributed across multiple cloud services, there is a strong need for a better solution for involving users in the development and control of access control policies surrounding the use of their data. In this paper we present a novel approach to controlling access to user data in the cloud to address the issues. Specifically, providing an environment where user can set permissions for all data stored on a cloud. When user uploads data to the cloud he is asked to set the access control parameters for the data and then cloud owner monitors the data accordingly. Moreover, user data are encrypted using attribute based encryption (ABE), therefore remaining confidential, and permissions are managed in the form of decryption key.
Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 ICTM 2011|June 8-9,2011|Hyderabad|India



International Journal of Systems , Algorithms & Applications


Figure 1. Architecture based on our approach

A. Permission Management System The Permission Management System proposed here comes as a software package which the cloud owner can install in his cloud to ensure data owners that their data is secure. It works as follows: Cloud service provider installs PMS software. Whenever data owner uploads data to the cloud PMS asks him to specify access structure and set access credentials. PMS encrypts the data and this encrypted data will be stored on cloud server. Whenever any user tries to access the data he needs to specify his attributes. Based on users attributes PMS locates him in the access structure and allow/deny the request accordingly. If the user is allowed PMS provides him with the decrypted data. The system is flexible as it allows the owner to specify different access credentials on same data to different users based on their access structure. B. ABE Components Four fundamental components from the cipherpolicy attribute based encryption (CP-ABE) are needed for our scheme to realize Permission Management System in cloud computing, which are Setup, Encrypt, KeyGen, and Decrypt. In order to describe them, we slightly modify the notations [4] as follows: Definition 1. (Access Structure) Let {A1, A2, A3, ..., An} be a set of attributes. A collection A _ 2 {A1,A2,A3,...,An} is monotone if 8B, C: if B 2 A and B _ C then C 2 A. An access structure is a collection A of non-empty subsets of {A1, A2, A3,..., An}. The sets in A are called the authorized attribute sets, and the sets not in A are called the unauthorized attribute sets. Having defined the access structure, we discuss the four components as follows:
Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 ICTM 2011|June 8-9,2011|Hyderabad|India

Setup component: the setup component initializes a permission management service for a user by generating the public parameters PK and a master key MK. Encrypt component: The encrypt component encrypts user data in service providers. It takes as input the public parameters PK, a data M, and an access structure A. The component will encrypt M and produce a cipher text CT such that only a user that possesses a set of attributes that satisfies the access structure will be able to decrypt the data. Key generation component: The key generation component generates a private key for a requester, taking as input the master key MK and a set of attributes S that describes the key. Decrypt component: The decrypt component decrypts the encrypted data using the public parameters PK, a cipher text CT, which contains an access policy A, and a private key SK. If the set S of attributes satisfies the access structure A, then the component will decrypt the cipher text and return a message M.

IV. DESIGN AND IMPLEMENTATION Permission Management System is implemented as software which consists of CPABE logic for data encryption and decryption. The methods PMS includes are: PMS::install : This deals with installation of the software in the cloud and initial configuration. PMS::upload : This method is invoked whenever owner wants to upload data to the cloud. It takes data, access structure and access credentials as input. Encrypted data is the output. Also it stores access structure and access credentials for future reference. PMS::access : Any user request to access data on the cloud internally calls this method. It accepts users attributes as input and checks it with access structure and access structure associated with the requested data. If the user has required permission decrypted data is produces as output. Otherwise request is simply denied. V. DISCUSSION AND CONCLUSIONS Permission Management System (PMS) makes life in the Cloud easier for content owners by providing an easy and flexible method for access control. Once the package is installed in the cloud server, each upload and access will be handled by PMS itself; no need of cloud service providers instructions. In this paper we discussed an effective solution data security in cloud environment using Attribute Based Encryption (ABE). We discussed a security architecture based our approach. In order to demonstrate its feasibility, we finally presented the design and implementation.



International Journal of Systems , Algorithms & Applications

[1] B. Hayes, Communications of the ACM, in Cloud computing, vol. 51, no. 7, 2008, pp. 911. [2] A. Sahai and B. Waters, Advances in Cryptology-EUROCRYPT 2005, in Fuzzy identity-based encryption, 2005, pp. 457473.

[3] D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology-CRYPTO 2001. Springer, 2001, pp. 213229. [4] J. Bettencourt, A. Sahai, and B. Waters, Ciphertext-policy attributebased encryption, in IEEE Symposium on Security and Privacy, 2007. SP07, 2007, pp. 321334.

Volume 2, Issue ICTM 2011, February 2012, ISSN Online: 2277-2677 ICTM 2011|June 8-9,2011|Hyderabad|India

You might also like