Policy-based Broadcast Access Authorization for Flexible Data Sharing in Clouds
Abstract : Cloud storage services allow data owners to outsource their potentially sensitive data (e.g., private genome data) to remote cloud servers in a ciphertext form. To enable data owners to further share the data encrypted in ciphertexts, many proxy re-encryption (PRE) schemes are proposed. However, most schemes only support single-recipient or coarse-grained re-encryption, which may limit the flexibility for data sharing. To address this issue, we propose a Policy-based Broadcast Access Authorization (PBAA) scheme by introducing the well-established identity-based broadcast encryption (IBBE) and key-policy attribute-based encryption into PRE. In our PBAA scheme, a data owner can apply IBBE to encrypt his data to a group of recipients. More importantly, the data owner can generate a delegation key with an access policy, and send this key to the cloud such that it can convert any initial ciphertext satisfying the access policy into a new ciphertext for a new group of recipients. With these features, cloud users can share their remote data in a secure and flexible way. Security analysis and performance evaluation show that the PBAA scheme is secure and efficient, respectively.
? These algorithms become sublinear in the number of existing Usrs as they are executed with a logarithmic number of secrets to cover all existing Usrs.
? Such schemes assure forward and backward security by only changing the public information and without affecting secret shares given to existing users.
? The ability to derive the secret encryption/decryption keys using public values is a key point to achieve transparency in subscription handling. Most of the existing GKM schemes fail to achieve this objective.
? The rekey process is not transparent, thus shifting the burden of acquiring new keys on existing users when others leave or join.
? This raises a serious problem when the encrypted data needs to be shared to more people beyond those initially designated by the data owner.
? To address this problem, we introduce and formalize an identity-based encryption transformation (IBET) model by seamlessly integrating two well-established encryption mechanisms, namely identity-based encryption (IBE) and identity-based broadcast encryption (IBBE).
? This paper attempts to solve such problem technically so that the authorities can transform the ciphertexts from one 2 encryption system to another, without handing over their decryption keys.
? This scheme requires the interaction between data owners and a key generator authority for each transformation, which may result an efficiency problem.
• The proposed key management scheme works efficiently even when there are thousands of Usrs.
• The OCBE protocols, proposed by Li and Li, provide the capability of delivering information to qualified users in an oblivious way.
• Based on our preliminary work , we propose a provably secure BGKM scheme, called ACVBGKM, and formalize the notion of BGKM.
• Having identified these problems, our preliminary work , proposes an approach to make rekey transparent to users by not distributing actual keys during the registration phase.
• We propose an efficient approach for finegrained encryption-based access control for documents stored in an untrusted cloud file storage.
? The performance of the asymmetric encryption is thus independent of the data size.
? We conducted a series of experiments to evaluate the performance of the IBET scheme.
? In particular, we implemented the efficient BB04 IBE scheme to compare its performance with ours in terms of file creation and file access.
? Many efforts have been made to improve efficiency and security of PRE and most of them focus on unidirectional PRE.
? Moreover, it enables users to first choose efficient identitybased encryption mechanisms to protect data, and then transform the encrypted data (if they like) so that users from a different (IBBE) encryption system can access.
|