flexible data access

2168-7161 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/TCC.2015.2469662, IEEE Transactions on Cloud Computing

> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <

1

Abstract— Cloud computing offers a new way of services and

has become a popular service platform. Storing user data at a cloud data center greatly releases storage burden of user devices and brings access convenience. Due to distrust in cloud service providers, users generally store their crucial data in an encrypted form. But in many cases, the data need to be accessed by other entities for fulfilling an expected service, e.g., an eHealth service. How to control personal data access at cloud is a critical issue. Various application scenarios request flexible control on cloud data access based on data owner policies and application demands. Either data owners or some trusted third parties or both should flexibly participate in this control. However, existing work hasn’t yet investigated an effective and flexible solution to satisfy this demand. On the other hand, trust plays an important role in data sharing. It helps overcoming uncertainty and avoiding potential risks. But literature still lacks a practical solution to control cloud data access based on trust and reputation. In this paper, we propose a scheme to control data access in cloud computing based on trust evaluated by the data owner and/or reputations generated by a number of reputation centers in a flexible manner by applying Attribue-Based Encryption and Proxy Re-Encryption. We integrate the concept of context-aware trust and reputation evaluation into a cryptographic system in order to support various control scenarios and strategies. The security and performance of our scheme are evaluated and justified through extensive analysis, security proof, comparison and implementation. The results show the efficiency, flexibility and effectiveness of our scheme for data access control in cloud computing.

Index Terms— Trust; reputation; access control; cloud computing.

This work is sponsored by the PhD grant (JY0300130104) of Chinese

Educational Ministry, the initial grant of Chinese Educational Ministry for researchers from abroad (JY0600132901), and the grant of Shaanxi Province for excellent researchers from abroad (680F1303).

Zheng Yan is with the State Key Lab of Integrated Services Networks, Xidian University, Xi'an 710071, China. (e-mail: [email protected])

Zheng Yan is with the Department of Communications and networking, Aalto University, Otakaari 5, Espoo 02150, Finland. (e-mail: [email protected]).

Xueyun Li is with the Department of Communications and Networking, Aalto University, Otakaari 5, Espoo 02150, Finland. (e-mail: [email protected])

Mingjun Wang is with the State Key Lab of Integrated Services Networks, Xidian University, Xi’an, 710071, China. (e-mail: [email protected]).

Athanasios V. Vasilakos is with the Lulea University of Technology, Sweden. (e-mail: [email protected])

I. INTRODUCTION LOUD computing offers a new way of services by re-arranging various resources (e.g., storage, computing

and services) and providing them to users based on their demands. Cloud computing provides a big resource pool by linking various network resources together. It has desirable properties, such as scalability, elasticity, fault-tolerance, and pay-per-use. Therefore, it becomes a promising service platform, rearranging the structure of Information Technologies. In many situations, different Cloud Service Providers (CSPs) are requested to collaborate together in order to provide an expected service to a user.

On the other hand, reputation and trust relationships in different contexts can be assessed based on social networking activities, behaviors and experiences, as well as performance evaluation. With the rapid growth of mobile communications and the wide usage of mobile devices, people nowadays perform various social activities with their mobile devices, e.g., calling, chatting, sending short messages, and conducting instant social activities via various wireless network connections. Social trust relationships can be established and assessed in a digital world, as illustrated in [29]. Reputation can be assessed based on feedback and Quality of Service (QoS) of an entity [30]. Trust and reputation play a decisive role in cyber security.

A. Motivation One important issue in cloud computing is data security.

Private data of users are stored in the data center of CSP to release the storage and computing burden of personal devices. Typical data examples are social security records and health statistical data monitored by wearable sensors. However, the CSP could be curious on personal privacy [38]. Thus, critical personal data stored in CSP are generally encrypted and their access is controlled. Obviously, these personal data could be accessed by other entities in order to fulfill a cloud service. How to control personal data access at CSP is a practical issue.

Rationally, the data owner should control own data access. But in many situations, the data owner is not available or has no idea how to do the control, when, for example, personal health records should be accessed by several medical experts in order to figure out a treatment solution or by a foreign physician when the data owner is traveling and falling into a

Flexible Data Access Control based on Trust and Reputation in Cloud Computing

Zheng Yan, Senior Member, IEEE, Xueyun Li, Mingjun Wang and Athanasios V. Vasilakos, Senior Member, IEEE

C




2

health problem abroad. Therefore, an access control agent is expected in this situation in order to reduce the risk of the data owner in personal data management. Considering both above demands in practice, a heterogeneous scheme that can flexibly control data access in cloud computing is expected.

A number of solutions have been proposed for protecting data access in the cloud. Access Control List (ACL) based solutions suffer from the drawback that computation complexity grows linearly with the number of data-groups [4] or the number of users in the ACL [5]. Role Based Access Control (RBAC) cannot flexibly support various data access demands that rely on trust [31]. In recent years, access control schemes based on Attribute-Based Encryption (ABE) were proposed for controlling cloud data access based on attributes in order to enhance flexibility [13-15, 18, 19, 22, 24]. However, the computation cost of these solutions is generally high due to the complexity of attribute structure. The time spent on data encryption, decryption and key management is more than symmetric key or asymmetric key encryptions. Critically, most of existing schemes cannot support controlling cloud data access by either the data owner or access control agents or both. This fact greatly influences the practical deployment of existing schemes. Current research is still at the stage of academic study. Little work was proposed to control the access of data stored at the CSP based on the trust evaluated by the data owner or the reputation generated by a trusted third party (e.g., a reputation center) or both in a uniform design.

B. Main Contributions In this paper, we propose a scheme to flexibly control data

access based on trust and reputation in cloud computing. We propose multi-dimensional controls on cloud data access based on the policies and strategies set by the data owner. Concretely, the data owner encrypts its data with a symmetric secret key 𝐾. This encryption key can be divided into multiple parts in order to support various control strategies. For example, the data owner can control its data access based on either individual trust evaluation or reputation generated by multiple RCs or according to both above in order to highly ensure data security and privacy in various situations. In more details, the secret encryption key 𝐾 can be divided into multiple parts 𝐾!,𝐾!,… ,𝐾! (𝑛 ≥ 0). The data owner encrypts different parts of 𝐾 with different encryption keys that are respectively managed by the data owner and a number of reputation centers (RCs) regarding different reputation properties in different contexts (e.g., user feedback, brand rank and credibility in medical treatment). Later on, the data owner and/or RCs can control the data access following the way of data encryption handled by the data owner. Specifically, the contributions of this paper can be summarized as below: 1) We motivate securing cloud data by controlling its access based on the trust and reputation evaluated by the data owner and/or multiple reputation centers in a flexible manner. 2) To the best of our knowledge, our scheme is one of the first to flexibly control cloud data access in an efficient way by integrating the concept of trust and reputation evaluation into a

cryptographic system. It can support various control policies and strategies in different scenarios. 3) We prove and justify the security and advanced performance of our scheme through extensive analysis, security proof and implementation.

The rest of the paper is organized as follows. Section II briefly reviews related work. Section III introduces the system and threat models and our design goals. In Section IV, we present the detailed description of the proposed scheme, followed by example approaches of trust evaluation and reputation generation in Section V. In Section VI, we prove scheme security, analyze its computation complexity, and evaluate its performance through implementation. Finally, conclusion is presented in the last section.

II. RELATED WORK In cloud computing, data owners upload personal data to

CSP and allow it to maintain these data. Rather than fully trusting the CSP, existing research [1-3] proposed to only outsource encrypted data to the cloud in order to ensure data privacy. The encrypted data can only be decrypted by authorized entities with permissions.

A. Access Control on Encrypted Data Different cryptographic mechanisms are applied to realize

access control on encrypted data. By adopting a traditional symmetric key cryptographic system, the data owner can classifies data with similar ACLs into a data-group before outsourcing to CSP, and then encrypts each data-group with a symmetric key. The symmetric key will be distributed to the users in the ACL, so that only the users in the ACL can access the corresponding group of data [4]. The main drawback of this approach is that the number of keys managed by the data owner grows linearly with the number of data-groups. The change of trust relationship between one user and the data owner could make the symmetric key revoked, which impacts other users in the same ACLs and increases the burden of key management. Thus, this solution is impractical in many real application scenarios.

Another approach is based on the combination of traditional symmetric key and public key cryptographic systems [5]. The data owner first specifies an ACL for a data, and then encrypts the data with a symmetric key, which is encrypted with the public keys of users in the ACL. Therefore, only the users in the ACL can recover the data using their private keys. The main drawback of this approach is that the cost for encrypting the symmetric key grows linearly with the number of users in the ACL. This approach cannot efficiently handle frequent changes of trust relationships, either.

RBAC has been applied in cloud computing. It provides flexibility on access control management at a level that corresponds closely to an organization’s policy and structure. Zhou et al. proposed a secure RBAC-based cloud storage system where the access control policies are enforced by Role-Based Encryption (RBE) [31]. This RBE scheme enforces RBAC policies on encrypted data stored in the cloud with an efficient user revocation mechanism, so that only the




3

users with appropriate roles specified by a RBAC policy can decrypt the data. Wang et al. proposed a dynamic role based access control framework by integrating trusted computing with RBAC in cloud computing [32]. We can find many RBAC mechanisms for cloud computing in the literature [33, 34], but most of them cannot flexibly satisfy various data access demands that request trust, especially for the same role. Fine-grained access control inside a role cannot be supported.

Attribute based access control is also an important technical division in secure cloud computing. ABE [6-9, 39] is a promising cryptographic technique and an attractive choice when selecting an encryption scheme for cloud computing. In an ABE system, users are identified by a set of attributes rather than an exact identity. Each data is encrypted with an attribute-based access structure, such that only the users whose attributes satisfy the access structure can decrypt the data. ABE has developed into two branches, Key-Policy ABE (KP-ABE) [7] and Ciphertext-Policy ABE (CP-ABE) [6, 8] depending on how attributes and policies are associated with ciphertexts and decryption keys.

ABE is widely applied in secure data storage for cloud computing in order to achieve flexibility, scalability and fine-grained access control [13-15, 18, 19, 22, 24]. Examples are a Hierarchical Attribute-Set-Based Encryption (HASBE) for data access control in cloud computing by extending Ciphertext-Policy Attribute-Set-Based Encryption (ASBE) with a hierarchical structure of users [22]. The proposed scheme not only achieves scalability due to its hierarchical structure, but also inherits flexibility and fine-grained access control in supporting compound attributes of ASBE. In addition, HASBE employs multiple value assignments for access expiration time to deal with user revocation. Yu et al. proposed an access control mechanism based on KP-ABE for cloud computing, together with Proxy Re-Encryption (PRE) and lazy re-encryption for efficient user revocation [13]. This scheme enables a data owner to delegate most of the computational overhead to cloud servers. It provides user access privilege confidentiality and user secret key accountability. The use of KP-ABE provides fine-grained access control gracefully. Each file is encrypted with a symmetric Data Encryption Key (DEK), which is in turn encrypted by a public key corresponding to a set of attributes in KP-ABE. Wang, Liu and Wu proposed hierarchical ABE (HABE) to achieve fine-grained access control in cloud storage services by combining Hierarchical Identity-Based Encryption (HIBE) and CP-ABE [14, 18]. This scheme fully delegates computation to CSP. Tang et al. presented FADE, a secure overlay cloud storage system that provides fine-grained access control and assured deletion for outsourced data on cloud [28]. In FADE, active data files that remain on the cloud are associated with a set of user-defined file access policies (e.g., time expiration, read/write permissions of authorized users), such that data files are accessible only to users who satisfy the file access policies. In addition, FADE generalizes time-based file assured deletion (i.e., data files are assuredly deleted upon time expiration) into a more fine-grained approach called policy-based file assured deletion, in which

data files are assuredly deleted when the associated file access policies are revoked and become obsolete.

However, existing access control solutions based on ABE applied complicated attribute structure to achieve fine-grained access control, which makes computation load for key and data management heavy. An efficient access control scheme is expected in practice. Notably, little existing work proposed to control cloud data access based on trust and/or reputation that actually play a decisive role in data sharing. Integrating trust/reputation mechanism into a traditional cryptographic system for data access control hasn’t yet been seriously explored. Our work is a useful supplement of prior arts.

Barsoum and Hasan proposed a cloud-based storage scheme that supports outsourcing of dynamic data to cloud [35]. This scheme ensures authorized users to receive the most recent version of the outsourced data. In case of dispute regarding data integrity/newness, a Trusted Third Party is able to determine the dishonest party in order to achieve indirect mutual trust between data owners and CSP. By applying broadcast encryption, lazy revocation, and key rotation, access control for the outsourced data is achieved. Our scheme applies different technologies to control cloud data access based on trust and reputation.

B. User Revocation User revocation is not a trivial task. The key problem is that

the revoked users still retain the keys issued earlier, and thus can still decrypt ciphertexts. Therefore, whenever a user is revoked, the re-keying and re-encryption operations need to be executed by the data owner to prevent the revoked user from accessing the future data. For example, when ABE is adopted to encrypt data, the work in [10] proposed to require the data owner to periodically re-encrypt the data, and re-distribute new keys to authorized users. This approach is very inefficient due to the heavy workload introduced to the data owner.

A better solution is to let the data owner delegate a third party to execute some computational intensive tasks, e.g., re-encryption, while leaking the least information. Proxy Re-Encryption (PRE) [11, 12] is a good choice, where a semi-trusted proxy is able to convert a ciphertext that can be decrypted by Alice into another ciphertext that can be decrypted by Bob, without knowing the underlying data and user secret keys. For example, the work in [13] is one of the first to combine KP-ABE and PRE to delegate most of the computation tasks involved in user revocation to CSP. The work in [14] combined PRE and a CP-ABE system to achieve a scalable revocation mechanism in cloud computing. Attribute revocation was supported in [15]. It requires that once a user is revoked from a system, the data owner should send PRE keys to the CSP, with which the CSP can be delegated to execute re-encryption. The main problem of this approach is that the data owner should be online in order to send the PRE keys to the CSP in a timely fashion, to prevent the revoked user from accessing the data. The delay of issuing PRE keys may cause a potential security risk. Yang et al. constructed a new multi-authority CP-ABE scheme with efficient decryption and proposed an efficient attribute




4

revocation method for it. This scheme can be applied into access control for multi-authority cloud storage systems [37]. But this scheme cannot flexibly control data access by either the data owner or authorized parties or both at the same time.

In our proposed scheme, revocation is implemented through the cooperation between the data owner, CSP and RCs based on a reputation mechanism. Policy based access control is applied at CSP and RCs. Key re-generation is conducted if necessary by the data owner. Thus, the computation complexity is reduced and at the same time flexibility is ensured for access control.

C. Reputation System Building a mutual trust relationship between users and

cloud platform is the key to implement new access control methods in cloud. There are many reputation management systems available nowadays [16]. Some work proposes to compose a number of services together based on trust and select services based on reputation [17]. Lin et al. proposed a mutual trust based access control (MTBAC) model [36]. It takes both user's behavior trust and cloud service credibility into consideration. Trust relationships between users and CSPs are established by mutual trust mechanism. However, most existing reputation management systems didn’t consider how to control personal data access based on reputation over the cloud. Access control at CSP based on trust and reputation was seldom studied.

In our previous work, we propose using trust level to control data access, e.g., in pervasive social networking [21]. But the scheme in [21] is not about controlling access to the data stored in CSP. In [29], we proposed using trust level assessed in mobile social networking to control personal data access at CSP. But this scheme cannot control data access in the case that the data owner has no idea of the trust/reputation of a data requester or when the data owner is offline. Therefore, we further propose introducing one or more RCs to delegate a data owner for data access control when it cannot justify the reputation of a data requester or when it is not available. We advocate that a flexible and heterogeneous approach is expected in the fulfillment of various practical demands over the cloud.

III. PROBLEM STATEMENT

A. System and Threat Models The following scenario illustrates the problem we are going

to solve. A mobile user’s personal health data (e.g., collected by his on-body wearable devices) are stored at the data center of CSP. In order to avoid the data to be disclosed to the CSP and unauthorized entities, the user encrypts the data to limit access. He would like to assign the people he trusts to access these data. He also prefers to assign the entity (e.g., a CSP) reputable for health treatment to access these data if CSP collaboration is needed for a health treatment. How to ensure secure personal data access by a trustworthy entity (e.g., a user, a service provider, or a service) is an important issue. The user trusts some people or CSPs based on his own

experiences. But in many cases, it is hard for him to judge the trustworthiness of all entities involved into service provision. In this case, the data owner cannot properly control the data access by itself. Particularly, we hope to support such a case that a medical treatment can be conducted in an urgent situation based on historical health records, e.g., for a patient who falls into an accident when travelling abroad. In this case, personal health data access can be issued based on reputation according to the data owner’s policies. Meanwhile, compensation or insurance should be provided for personal data disclosure. How to flexibly ensure trustworthy data access in the above situations is critical in practice.

Fig. 1: A system model

We consider such a system involving three different kinds of entities, as illustrated in Figure 1: the cloud user that interacts with CSPs for consuming various services (e.g., data storage and data access). The user can be a data owner or a data requester; the reputation center (RC) that has functions and capability that the user does not have and is trusted to generate and provide reputation certificates for system entities regarding different data access contexts; the CSP that can be either private for specific users or public for all users and other CSPs. The private and public CSPs can collaborate together in order to provide a service requested by a user. For example, when a private CSP cannot satisfy a user’s demand, it could collaborate with other public or private CSPs. The data owned by a system entity and stored at the CSP could be accessed by another system entity during the fulfillment of a cloud service. Users are not only human beings, but also CSPs. Each CSP has its own data center for data storage, a resource center that can offer various services and a management center that is responsible for service request and provision.

The system design holds the following assumptions. RC is a trusted party for reputation generation in different data access contexts. It can collect sufficient information to conduct accurate reputation evaluation, thus provide accurate reputation information of each system entity. Multiple RCs could exist in the system. An insurance company can operate RC. It compensates loss of data disclosure. In order to earn reputation and business profits, RC should behave honestly (based on an analysis with game theory). The data owner (that is also a cloud user) has a trustworthy personal device that can directly control personal data access based on individual trust




5

evaluation on different system entities, e.g., according to social networking experiences. The CSP offers data storage services. But it could be curious to seek the privacy of other parties based on stored data and may disclose it. CSP provides stored data to a requester according to the instruction of RC and/or the data owner due to business incentive. RC is always available for registration and authorization of data access rights. But RC is not allowed to access the stored data by CSPs. RCs and CSPs don’t collude with each other due to business reasons since collusion may make both of them lose profits. This is assumed based on a game theoretic study. Concretely, if a collusion strategy is applied, CSP cannot earn revenue due to loss of data storage users and RC will lose its business since finally it cannot collect data insurance fee. The communications between the system entities are secured by applying an existing security protocol. Each cloud user registers at its delegating RCs with a unique identifier and personal data access policies. Our scheme follows existing regulations, e.g., relevant identities and qualification certificates (e.g., health physician certifications) should be registered and verified before executing our scheme.

We further assume context-aware trust evaluation is applied to support our scheme. We only consider the trust or reputation required in the context of data access. Notably, the trust level sufficient for different data access could be different. In different contexts, different trust evaluation algorithms could be applied for supporting access control. The data owner can choose RCs based on their reputations, which can be evaluated based on data owner feedback, the QoS of RC services, and so on.

B. Design Goals To achieve trustworthy data access and avoid potential risks

in cloud storage services, our design should achieve the following security and performance goals: 1) security and safety: the data stored in CSP can only be accessed by eligible system entities that are trustworthy enough; the control of data access is based on trust and reputation with a minimum risk; 2) heterogeneity: the proposed scheme can support various data access demands. It can support data access directly controlled by the data owner and/or by one or more RCs in an indirect way when the data owner is not available or cannot make an access decision; 3) flexibility: the proposed scheme can be flexibly applied to satisfy different access control scenarios, strategies and policies; 4) lightweight: the scheme controls cloud data access with minimum computation and communication overhead.

IV. THE PROPOSED SCHEME

A. Notations/Preliminaries and Definitions Bilinear pairing: Let 𝔾 and 𝔾! be two cyclic multiplicative

groups with the same prime order 𝑝, that is, 𝔾 = |𝔾!| = 𝑝. Let 𝑔 be a generator of 𝔾 . Let us have a bilinear map ℯ ∶ 𝔾 × 𝔾 → 𝔾!, with the following properties:

• Bilinear: for all 𝑢, 𝑣 ∈ 𝔾 and 𝑎, 𝑏 ∈ 𝑍! , ℯ(𝑢! , 𝑣!) =ℯ(𝑢, 𝑣)!".

• Non-degenerate: ℯ(𝑔,𝑔) ≠ 1 for the generator 𝑔. • Computable: there is an efficient algorithm to compute

ℯ(𝑢, 𝑣) for any 𝑢, 𝑣 ∈ 𝔾. Definition: Individual Trust Level (TL) is the trust

evaluated by a data owner based on personal interaction and experiences (e.g., in social networking activities). Herein, we divide trust into discrete levels according to its value, e.g., 𝑇𝐿! represents the i-th level of TL, 𝑖 ∈ (0, 𝐼!" , where 𝐼!" is the maximum level of TL.

To effectively secure private data over the cloud, we resort to controlling the data access based on trust levels assessed by the data owner by applying ABE. The advance is the owner can issue to a number of eligible users by performing encryption computation only once. But different users cannot collude with each other because their decryption keys are personalized. Herein, we illustrate our scheme with CP-ABE. Notably, KP-ABE can also be applied to implement our scheme. Adopting CP-ABE saves efforts of key management, while applying KP-ABE can save the computation cost of data encryption.

Definition: Reputation Value (RV) is the trust evaluated by a reputation center based on public feedback and extensive performance monitoring and reporting. 𝑅!(𝑡) denotes the reputation value of entity e at time t. 𝑅!(𝑡) ∈ [0, 1 , scaling from fully disreputable to fully reputable.

Proxy Re-Encryption: A PRE scheme is represented as a tuple of (possibly probabilistic) polynomial time algorithms (KG; RG; E; R; D) [25]:

• (KG; E; D) are the standard key generation, encryption, and decryption algorithms for an underlying public key encryption scheme. On input of a security parameter 1!, KG outputs a public and private key pair (𝑝𝑘! , 𝑠𝑘! ) for entity A. On input 𝑝𝑘! and data M, E outputs a ciphertext C_A = E(𝑝𝑘! ; M). On input 𝑠𝑘! and ciphertext C_A, D outputs the plain data M = D(𝑠𝑘! ; C_A).

• On input ( 𝑝𝑘! ; 𝑠𝑘! ; 𝑝𝑘! ), the re-encryption key generation algorithm, RG, outputs a re-encryption key rk_A→B for entity B.

• On input rk_A→B and ciphertext C_A, the re-encryption function R, outputs R(rk_A→B; C_A) = E(𝑝𝑘! ; M) = C_B, which can be decrypted with private key 𝑠𝑘! .

We further resort to controlling data access based on the reputation evaluated by one or more RCs by applying PRE to convert encrypted data to the form that can be decrypted by eligible and reputable requesters according to the pre-defined policy of the data owner. Introducing RCs can ensure the control availability even though the data owner is not available or has no idea how to control the access. Meanwhile, RCs cannot get the plaintext of data in PRE.

B. Scheme Summary We propose multi-dimensional data access control based on

individual trust evaluated by the data owner and/or public reputation evaluated by one or more RCs during the fulfillment of a cloud service. Taking two-dimensional control as an example, the data owner encrypts its data with a




6

symmetric secret key 𝐾. It divides 𝐾 into two parts: 𝐾! and 𝐾!. It respectively encrypts 𝐾! with RC’s public key 𝑝𝑘_𝑅𝐶 and 𝐾! with a public attribute key 𝑝𝑘_𝑇𝐿 with regard to an individual trust attribute. It uploads the encrypted data and the above two encrypted partial keys to CSP. When a user requests accessing the data, the CSP checks if the user (i.e., a requestor) is in a greylist. If the check is negative, CSP forwards its request to RC and the data owner based on the owner’s access policy. RC checks the user’s reputation and generates a re-encryption key for the user to decrypt 𝐾! if it is eligible based on the policy defined by the data owner (e.g., the reputation of user 𝑒 is over a pre-defined threshold 𝑡ℎ𝑟 at the checking time 𝑡 , 𝑅! 𝑡 > 𝑡ℎ𝑟 ). Meanwhile, the owner issues a personalized secret key to the requestor to allow it to get 𝐾! if its trust level satisfies the access policy. By achieving both 𝐾! and 𝐾!, the requestor can access the encrypted data.

In case that the requestor is not eligible to access the data (e.g., the reputation/trust level of the requestor is below a threshold), RC and/or the data owner will inform CSP to put it into a greylist. Thus CSP will block this requestor’s access in the future. If the requestor later on becomes eligible, RC and/or the data owner inform CSP to remove it from the greylist. We will discuss how to ensure CSP to process as expectation in Section IV. 𝐾! and 𝐾! can be flexibly set based on different application

scenarios and access strategies of the data owner. If the data owner would like to control data access only by itself, 𝐾! is 𝑛𝑢𝑙𝑙 and 𝐾! = 𝐾. If it would like to control data access only by RC, 𝐾! = 𝐾 and 𝐾! = 𝑛𝑢𝑙𝑙. If the data owner would like to control its data access by both individual trust and public reputation (i.e., by both the data owner and RC), neither 𝐾! nor 𝐾! is null, and aggregating 𝐾! and 𝐾! can get 𝐾. If the data owner would like to control its data access by either individual trust or public reputation (i.e., by either the data owner or RC), 𝐾! = 𝐾! = 𝐾 ≠ 𝑛𝑢𝑙𝑙. If the data owner doesn’t want to control its data access, 𝐾! = 𝐾! = 𝐾 = 𝑛𝑢𝑙𝑙 . That means plain data are stored at the data center of CSP.

Notably, the data encryption key 𝐾 can be divided into multiple parts in order to really support multi-dimensional data access control. For example, the data owner can set the access control strategy such as controlling its data access based on the reputations evaluated by multiple RCs in order to highly ensure data security and privacy, especially when it is off-line. In this case 𝐾 is separated into multiple parts 𝐾!,𝐾!, …, 𝐾! (𝑛 ≥ 2). The data owner encrypts different parts of 𝐾 with different RC’s public keys 𝑝𝑘_𝑅𝐶!. Later on, the data access can be controlled by all RCs (e.g., with regard to different reputation properties or contexts) by issuing re-encryption keys to decrypt different parts of 𝐾. Obviously, our scheme can flexibly support controlling cloud data access by not only the data owner, but also a number of RCs.

The data owner manages the policy of data access control. It decides who has rights to control the data access. Our scheme is very flexible to handle many cases: data is controlled by the owner itself, or only one RC, or multiple RCs or all above at the same time. Their control relationship

could be “or”, not only “and”, in order to ensure control availability. In case some control party is not always online, another party can delegate the duty. We achieve this by issuing the same partial key to multiple parties (e.g., RCs).

C. Required Keys Table I summaries the keys related to the proposed scheme.

TABLE I. SUMMARY OF APPLIED KEYS

Keys Description Usage 𝐾 The data encryption key Encrypting data 𝐾!, 𝐾!, … The different parts of 𝐾 Aggregating all parts of

𝐾 can get a complete 𝐾 𝑃𝐾 The global public key Input for ABE operations 𝑀𝐾 The master key Creation of user keys 𝑝𝑘_𝑢 The public key of user 𝑢

w.r.t. ABE Unique ID of user and the key for verification of the user’s attributes; used for personalized secret attribute key generation for 𝑢

𝑠𝑘_𝑢 The secret key of user 𝑢 w.r.t. ABE

Generation of public key of TL for 𝑢 and used for issuing secret attribute keys to 𝑢′ based on TL eligibility

𝑝𝑘_(𝑇𝐿,𝑢) The public key of attribute TL generated by user 𝑢

Encryption of 𝐾! generated by user 𝑢

𝑠𝑘_(𝑇𝐿,𝑢,𝑢′) The secret key of attribute TL for user 𝑢′ issued by 𝑢

Decryption of 𝐾! generated by user 𝑢 for 𝑢′

𝑝𝑘!" The public key of RC w.r.t. PRE

Encryption of partial 𝐾

𝑠𝑘!" The secret key of RC w.r.t. PRE

Generation of re-encryption key at RC

𝑝𝑘! The public key of entity u w.r.t. PRE

Generation of a re-encryption key for u

𝑠𝑘! The private key of entity u w.r.t. PRE

Decryption of re-encrypted partial key for u

𝑟𝑘_𝑅𝐶 → 𝑢 Re-encryption key to re-encrypt a ciphertext computed under RC’s public key into one that can be decrypted using 𝑢’s privacy key.

Re-encryption of partial symmetric key 𝐾

D. Scheme The proposed scheme consists of a number of fundamental

algorithms as described below. Setup. The Setup algorithm takes as input the implicit

security parameter 1! . It chooses a bilinear multiplicative group 𝔾 of prime order 𝑝 with generator 𝑔 and a pairing ℯ ∶ 𝔾 × 𝔾 → 𝔾!. Next it chooses a random point 𝑃 ∈ 𝔾, and a random exponent 𝑦 ∈ ℤ!. Then it outputs the public key 𝑃𝐾 = 𝔾,𝔾! , 𝑒,𝑔,𝑃, 𝑒 𝑔,𝑔 ! , and the master key 𝑀𝐾 =𝑔! . This process is conducted at the user device or a trustworthy user agent. Meanwhile, each RC generates its public and private keys 𝑝𝑘!" and 𝑠𝑘!" for the purpose of PRE.

ABEUserKeyGeneration(PK, MK, u). This algorithm takes as input the public key 𝑃𝐾, the master key 𝑀𝐾, and a unique user identity 𝑢 . It chooses a random secret 𝑚𝑘! ∈ ℤ! and outputs a public user key 𝑝𝑘_𝑢 = 𝑔!"!, that will be used to issue secret attribute keys for 𝑢 , and a secret user key




7

𝑠𝑘_𝑢 = 𝑀𝐾 ∙ 𝑃!"! = 𝑔! ∙ 𝑃!"!, used for the decryption of ciphertexts. It also uniformly and randomly chooses a hash function 𝐻!"_! ∶ 0,1 ∗ → ℤ! from the finite family of hash functions. This process is also conducted at the user device or a trustworthy user agent.

PREUserKeyGeneration(u). This algorithm generates pubic key 𝑝𝑘! and private key 𝑠𝑘! for PRE [26].

𝑝𝑘! = 𝑍!! ,𝑔′!! , 𝑠𝑘! = 𝑎!, 𝑎! . The system parameters are random generators 𝑔′ ∈ 𝔾 ,

𝑍 = 𝑒(𝑔,𝑔) ∈ 𝔾! , and 𝑎!, 𝑎! ∈ ℤ! . 𝑝𝑘! is used for generating the re-encryption key at RC for 𝑢. This algorithm is still conducted at the user device or a trustworthy user agent.

CreateEncryptionKey(). The algorithm generates a symmetric key 𝐾 for data encryption and is performed by the data owner. In our implementation, Advanced Encryption Standard (AES) is applied.

DivideKey(K, n). The DivideKey algorithm divides input 𝐾 into 𝑛 + 1 parts, where 𝑛 ≥ 0.

CombineKey(𝐾!,𝐾!, …,𝐾! ). The CombineKey algorithm aggregates partial keys (𝐾!,𝐾!,… ,𝐾!) to get a complete key 𝐾.

CreateIndividualTrustPK(PK, TL, sk_u). The algorithm is executed by the user device whenever user 𝑢 would like to control the access of its data based on individual trust evaluation. The algorithm checks the TL related policies. If this is the case, the algorithm outputs a public attribute key of the TL for user 𝑢, denoted 𝑝𝑘_(𝑇𝐿, 𝑢), which consists two parts: 𝑝𝑘_(𝑇𝐿! , 𝑢) = < 𝑝𝑘_(𝑇𝐿! , 𝑢)′ = 𝑔!sk_u !"! , 𝑝𝑘_(𝑇𝐿! , 𝑢)′′ =

𝑒 𝑔,𝑔 !!sk_u(!"!) >, otherwise outputs NULL. Note that pk_ 𝑇𝐿, 𝑢) = 𝑝𝑘_ 𝑇𝐿! , 𝑢 , (𝑖 ∈ 0, I!" , where I!" is the maximum level of TL.

IssueIndividualTrustSK(PK, TL, sk_u, pk_u’). The algorithm is executed at the user device by checking the eligibility of 𝑢′. The algorithm checks whether 𝑢′ with public key 𝑝𝑘_𝑢′ is eligible of the attribute TL (i.e., it checks in which trust level 𝑢′ is located). If 𝑢′ is located in the trust level 𝑉!" (𝑉!" is an integer and 𝑉!"∈[0, I!"]), we said 𝑢′ is eligible for attribute 𝑇𝐿! , (𝑖 ≤ 𝑉!"). Then the algorithm outputs a secret TL key 𝑠𝑘_(𝑇𝐿, 𝑢, 𝑢′) for user 𝑢': 𝑠𝑘_ 𝑇𝐿! , 𝑢, 𝑢′ = 𝑝𝑘_𝑢′!!"_!(!"!) = 𝑔!"!!!!"_!(!"!), (𝑖 = 𝑉!").

Otherwise, the algorithm outputs NULL. Encrypt0(𝑃𝐾,𝐾!,𝐴𝐴,𝑝𝑘_(𝑇𝐿, 𝑢)). This algorithm takes as

input the partial key 𝐾! and the public keys 𝑝𝑘_(𝑇𝐿, 𝑢) , corresponding to the individual trust occurring in the data access policy 𝐴𝐴 of user 𝑢. The algorithm encrypts 𝐾! with the policy 𝐴𝐴 and outputs the cipher-key 𝐶𝐾!.

The access policy 𝐴𝐴 can be described as 𝐴𝐴 = 𝑇𝐿_𝑗!!!! ,

where m represents the number of selected TL. 𝑇𝐿! represents an individual trust level set by 𝑢 to control the access. 𝑇𝐿_𝑗 = 𝑇𝐿! means that 𝑢 gives the users with 𝑇𝐿! the authority to decrypt the cipher-key. For example, 𝐼!" = 5, 𝐴 =𝑇𝐿! 𝑇𝐿! means the users with 𝑇𝐿 ≥ 4 can be granted access rights. The Encrypt0 algorithm iterates over all 𝑗 = 1,… ,𝑚. It

generates a random value 𝑅! ∈ ℤ!, for each required TL level 𝑇𝐿! in the policy and constructs 𝐶𝐾!! as:

𝐶𝐾!! = 𝐸! = 𝐾! ∙ 𝑝𝑘_(𝑇𝐿! , 𝑢)!!!!

𝐸!! = 𝑃!!，𝐸!!! = 𝑝𝑘_(𝑇𝐿! , 𝑢)!

!! .

This process is conducted at the device of a data owner. The owner publishes the output of the algorithm along with its encrypted data to CSP.

Decrypt0 (𝑃𝐾,𝐴𝐴,𝐶𝐾!, 𝑠𝑘_𝑢′, 𝑠𝑘_(𝑇𝐿, 𝑢, 𝑢!)) . The Decrypt0 algorithm takes as input a cipher-key produced by the Encrypt0 algorithm and a key ring 𝑠𝑘!! , 𝑠𝑘_(𝑇𝐿, 𝑢, 𝑢!) for user 𝑢! . It decrypts the cipher-key 𝐶𝐾! and outputs the corresponding plain key 𝐾! if the attribute is sufficient to satisfy the policy 𝐴𝐴 used for encryption.

𝐾! = 𝐸! ∙! !!!,!"_(!"!,!,!!)

! !!!!,!"_!'.

Otherwise it outputs NULL. It is easy to verify that the decryption is correct [8]. Let

a!:= Hsk_!(𝑇𝐿!). Then, E! = 𝐾! ∙ e(g, g)!!!!!, E!!! = g!!!! and

𝐸! ∙! !!!,!"_(!"!,!,!!)

! !!!!,!!!'= 𝐾! ∙ 𝑒 𝑔,𝑔 !!!!! ∙

! !!! ,!!"!!!!

! !!!!! ,!!∙!!"!!=

𝐾! ∙ 𝑒 𝑔,𝑔 !!!!! ∙ ! !,! !!!"!!!!

! !,! !!!"!!!! ∙! !,! !!!!!= 𝐾!.

ReencryptionKeyGeneration( 𝑝𝑘!" , 𝑠𝑘!" , 𝑝𝑘!! ). This algorithm is defined in [26], the output 𝑟𝑘_𝑅𝐶 → 𝑢’ =𝑔′!!!! = 𝑝𝑘!!

!! , where 𝑎! is part of 𝑠𝑘!" and 𝑏! is part of 𝑠𝑘!!. On input 𝑝𝑘!" , 𝑠𝑘!" , and 𝑝𝑘!!, the algorithm generates the re-encryption key rk_RC→ 𝑢’ for 𝑢’ if it satisfies the access policy of the data owner based on the latest reputation evaluation at RC. The RC then forwards rk_RC→ 𝑢’ to CSP.

Encrypt1(𝑝𝑘!" ,𝐾! ). As defined in [26], a data owner encrypts its partial secret key 𝐾! (𝑛 ≥ 1) using the public key of RC to obtain the encrypted 𝐾! by 𝑝𝑘!" , denoted 𝐸(𝑝𝑘!";𝐾!),

𝐸(𝑝𝑘!" ,𝐾!) = (𝑔′! ,𝐾!𝑍!!!), where 𝑍!! is part of 𝑝𝑘!" and 𝑥 ∈ ℤ!. The owner publishes 𝐸(𝑝𝑘!" ,𝐾!) along with its encrypted data to CSP.

RE(rk_RC→ 𝑢’,𝐸(𝑝𝑘!" ,𝐾!)). If an entity 𝑢′ is allowed to access the data, CSP conducts 𝑅𝐸(𝑟𝑘_𝑅𝐶 → 𝑢’,𝐸(𝑝𝑘!" ,𝐾!)) = 𝐸(𝑝𝑘!! ,𝐾!) = 𝑍!!!!! ,

𝐾!𝑍!!! = 𝐶𝐾!, and gives it to 𝑢′ . User 𝑢! decrypts 𝐸(𝑝𝑘!! ,𝐾!) using its private key 𝑠𝑘!! to obtain 𝐾!. In the proposed scheme, CSP functions as the proxy in terms of PRE [26]. It indirectly distributes the partial secret key 𝐾! to authorized entities without learning anything about these secrets (e.g., 𝐾! and the plain data).

Decrypt1(𝑠𝑘!!, 𝐸(𝑝𝑘!! ,𝐾!)). The algorithm takes as input a cipher-key produced by the RE algorithm and 𝑠𝑘!! and decrypts the cipher-key 𝐸(𝑝𝑘!! ,𝐾!),

𝐾! = !!!!!!

(!!!!!!)!!!

.




8

Encrypt(K, M). This algorithm takes as input K and data M to get encrypted data CT. The data owner publishes CT to CSP. In our implementation AES is applied.

Decrypt(CT, K). The algorithm takes as input a cipher-text CT produced by the Encrypt algorithm and the complete encryption key 𝐾 to output the plaintext 𝑀.

E. Procedure Figure 2 illustrates the procedure of data access control

based on the proposed scheme. We suppose that user 1 (𝑢!) saved its sensitive personal data at CSP, while user 2 (𝑢!) requests to access it with the authorization of 𝑢! and one RC.

Fig. 2: A procedure of data access control

Step 0: System setups by calling Setup. Step 1: 𝑢! generates an encryption key 𝐾 and separates it

into two parts 𝐾! and 𝐾!. It encrypts data M with the secret key 𝐾 to get CT. It generates the data access policy 𝐴𝐴 with regard to individual trust level threshold, public reputation threshold for accessing M. 𝑢! uploads the encrypted data CT, policy 𝐴𝐴 and encrypted 𝐾! (𝐶𝐾!) by applying Encrypt1 and encrypted 𝐾! (𝐶𝐾! ) by applying Encrypt0 to CSP; 𝑢! also sends 𝐴𝐴 to RC.

Step 2: 𝑢! would like to access 𝑢!’s data by requesting CSP. The CSP checks the validity of its ID and the package of encrypted 𝐾 in order to decide if forwarding this request to 𝑢! and/or RC if it is not in the greylist. Based on the content in 𝐴𝐴, the CSP decides whether to contact 𝑢! and/or RC.

Step 3: If RC is contacted, RC evaluates 𝑢!’s reputation and checks if it satisfies with M’s access policy 𝐴𝐴. Based on the reputation level, RC generates 𝑟𝑘_𝑅𝐶 → 𝑢! if access is allowed; meanwhile, if 𝑢! is contacted, it checks the eligibility of 𝑢! in order to generate a personalized secret key 𝑠𝑘_(𝑇𝐿, 𝑢!, 𝑢!) for 𝑢! to decrypt 𝐶𝐾!.

Step 4: RC issues 𝑟𝑘_𝑅𝐶 → 𝑢! to the CSP that re-encrypts the 𝐶𝐾! to get 𝐸(𝑝𝑘!! ,𝐾!) if the re-encryption was never conducted; meanwhile, 𝑢! issues 𝑠𝑘_(𝑇𝐿, 𝑢!, 𝑢!) to 𝑢!.

Step 5: CSP allows 𝑢! to access requested data by providing corresponding encrypted data CT and encrypted keys (𝐶𝐾! and 𝐶𝐾!) to 𝑢!.

Step 6: 𝑢! decrypts 𝐶𝐾! and 𝐶𝐾! with the issued secret keys from 𝑢! and its private key 𝑠𝑘!!. By combining 𝐾! and 𝐾!, 𝑢! can get the complete 𝐾 to decrypt CT and get M.

Step 7: 𝑢! re-evaluates the trust based on past and newly accumulated experiences regarding the data access context. If 𝑢! has been issued the secret keys and is not eligible at present, 𝑢! will put them into its underlying data access greylist and inform the CSP. RC can re-generate reputation of different entities based on newly collected data. If RC indicates that 𝑢! doesn’t satisfy with access policy 𝐴𝐴, RC will inform the CSP to block 𝑢!’s access to 𝑢!’s data.

Note that the greylist is data-oriented since different data access may request different trust levels. Its content is dynamically upgraded based on timely trust and reputation evaluation.

F. Revocation Due to the dynamic change of trust and reputation, the data

access right should be dynamically managed. The proposed scheme applies three ways of revocation.

First, CSP follows the notification of the data owner and/or RCs to block data access if the data requestor’s trust and/or reputation levels don’t satisfy the access policy. When, the data requester’s trust and/or reputation levels reach the access threshold, the block will be released by the CSP. This approach is appropriate in the situation that CSP cooperates with the data owner and the RCs on access control. A way to ensure CSP to perform the above additional access control is applying a reputation mechanism, as illustrated in [29]. Each CSP’s reputation is evaluated according to the user’s feedback and published in order to encourage and ensure good behaviors of CSPs. For a disreputable CSP, the user will not use its services, thus the CSP will lose its users and profits.

Second, the data owner re-encrypts 𝐾! with a new TL attribute’s public key if its policy about 𝐾! is changed and sends the new 𝐶𝐾! to the CSP. The data owner will also inform the RCs to update the new policy about 𝐾! (𝑛 ≥ 1) if there is any change. Thus, later re-encryption key generation will follow the new policy at the RCs. This approach is suitable in the situation that the access policy of the data owner is updated.

Third, the data owner refresh data encryption key 𝐾 and applies a new key 𝐾′ to encrypt new data stored at the CSP. This approaches is suitable in the case that the old key could be disclosed to the CSP (e.g., by a malicious data requester or guessed by the CSP). One protection strategy is different symmetric keys are applied to encrypt different data. Another strategy is the data owner updates the symmetric key for data encryption periodically and uploading newly encrypted data to CSP. (We assume deletion of old data can be performed by CSP honestly.)

In another line of our work, we proved with game theory that CSP normally would not cooperate with malicious data requesters when applying a reputation and punishment mechanism because it will lose users and profits due to reputation loss. Due to paper size limitation, this study with a number of simulation results will be reported in another paper.




9

V. TRUST EVALUATION & REPUTATION GENERATION Trust can be assessed based on the clue showed in mobile

social networking. Herein, we apply a concrete approach for automatic trust evaluation based on mobile social networking in order to gain usability in trust evaluation. The function to calculate the trust value 𝑇𝐿(𝑢! , 𝑢!) of two persons 𝑢! and 𝑢! based on mobile social networking is proposed in our previous work [29]. Notably, other methods can also be applied and cooperate with the proposed scheme.

User feedback, performance monitoring and reporting contribute reputation generation. In [30], we proposed a concrete algorithm to support data access control in cloud computing. Notably, the trust evaluation and reputation generation are context-aware. For data access in a concrete context (e.g., health treatment), the trust is evaluated and the reputation is generated. In this paper, we focus on heterogeneous cloud data access control scheme design and evaluation.

VI. SECURITY ANALYSIS & PERFORMANCE EVALUATION

A. Security Proofs The security goal of our scheme is to guarantee that only

the users whose trust and reputation satisfy the access control policies of the data owner can access the data saved in the cloud. The proposed scheme achieves security as analyzed below. Fine-Grainedness of Access Control

Our scheme can achieve fine-grained access control. Various access policies regarding trust and/or reputation can be defined and enforced. We remove the complexity of hierarchical attribute-based fine-grained access control [22] by replacing it with trust-reputation based one. We evaluate the trust levels according to many factors and simplify the ABE attribute structure by only considering one attribute: trust levels. This design not only reduces the complexity of access policy description, but also keeps its expressivity. The computation of trust evaluation is much less complicated than embedding the trust-factor related attributes into the attribute structure of an ABE scheme. The reputation generation is performed at RC, which can release the computation burden of data owners. Apart from the above, the proposed scheme can be flexibly applied into many scenarios by cooperating with a trust management framework. Context-awareness can be easily achieved by applying context-aware trust evaluation and reputation generation. Data confidentiality

The security of this scheme is ensured by the PRE theory, ABE theory, symmetric encryption theory and public key encryption theory. In particular, we apply trust and reputation to control data access in a heterogeneous manner to enhance both security and flexibility in cloud computing.

Data confidentiality is achieved by symmetric key encryption (e.g., AES), ABE, and PRE. Assuming that the symmetric key algorithm is secure, the security of the proposed scheme relies on the security of our architecture design based on the PRE and ABE. RCs are unable to access

the user data stored in CSP even though they hold the partial encryption key (refer to 𝐸(𝑝𝑘!" ,𝐾!) ) in the case that 𝐾! ≠ 𝐾!, 𝐾! ≠ 𝑛𝑢𝑙𝑙 . Meanwhile, the plaintext of the user data is also hidden from CSP since it could only gain the re-encryption keys and the CSP, alone, cannot re-delegate the decryption rights from, for example, rk_RC→A and rk_A→B to produce rk_RC→B, because of the non-transitive property of PRE. Even though the CSP colludes with user B who has been issued the decryption right, they can only recover the weak secret ga1 instead of the private key of RC, 𝑠𝑘!" . The standard security and master key security have been proved in [26], which shows that the PRE used in our scheme is secure.

In addition to the security of the encryption algorithm, the reputation mechanism encourages the system entities to behave properly in order to retain or improve their reputation levels. User accountability can also be achieved by setting up a punishment rate according to their reputation levels when RCs issue re-encryption keys for data requesters [30]. Security Proof of ABE

We analyze the security of ABE used in our scheme by, firstly, defining a security model, which we call Game 1, and then comparing it with a modified model, Game 2, which has already been proved as secure in our previous work [21] in order to prove the security of Game 1. We sketch these two games firstly and describe the reduction procedure subsequently. It is customary to define security in a context like ours by using a model involving a game between two parties where one of the parties is an adversary who tries to get an advantage in the game. More specifically, we define the security model of our scheme as follows between an adversary 𝒜 and a challenger 𝒞. Game 1

Setup. A challenger 𝒞, who plays the role of the data owner or a trustworthy user agent, runs the Setup algorithm and gives the public key 𝑃𝐾 to an adversary 𝒜.

Phase 1. The adversary 𝒜 asks the challenger 𝒞 for an arbitrary number of user keys. Herein, the users include all kind of data consumer, such as users and CPSs who want to access the data. The challenger 𝒞 calls the ABEUserKeyGeneration algorithm for each requesting user and returns the resulting public and private user keys to 𝒜. Meanwhile, for each user, 𝒜 can request the secret and public attribute keys that 𝒞 creates by calling key generation algorithms, i.e., IssueIndividualTrustPK and IssueIndividualTrustSK algorithms, respectively.

Challenge. The adversary 𝒜 submits two messages 𝑀! and 𝑀! and an access policy 𝐴𝐴 such that none of the users he created in Phase 1 satisfy 𝐴𝐴. (If any user from Phase 1 satisfies 𝐴, the challenger aborts.) The challenger 𝒞 flips a coin 𝑏, encrypts 𝑀! under 𝐴𝐴, and gives the cipher text CT to the adversary.

Phase 2. Like in Phase 1, the adversary may create an arbitrary number of users. He can also request more secret attribute keys for the users he created in Phase 1 and Phase 2. The only restriction is if any secret attribute key would give the respective user trust level that would satisfy 𝐴𝐴, then the




10

challenger aborts. As described before, 𝒜 can always request any public attribute keys.

Guess. The adversary 𝒜 outputs a guess 𝑏! of 𝐴𝐴 . The advantage of adversary 𝒜 is defined as: Advantage = 𝑃𝑟 𝑏! = 𝑏 − 0.5. We claim that our scheme is secure in Game 1 if the advantage of the adversary 𝒜 is negligible whenever the adversary operates in probabilistic polynomial time. Game 2

The phases Setup, Phase 1, and Phase 2 are equal to the Game 1. In the Challenge phase, the adversary 𝒜 submits an access policy 𝐴𝐴 such that none of the users that he created in Phase 1 satisfy 𝐴𝐴 (but unlike the Game 1, 𝑀! and M!are not submitted). The challenger 𝒞 flips a coin 𝑏 , and creates a ciphertext for the access policy 𝐴𝐴, but instead of computing 𝐸! ≔ 𝑀 ∙ 𝑒 𝑔,𝑔 !!!!! (We replace 𝐾! with 𝑀 here for convenience) according to our encryption algorithm, he computes E! as

𝐸! =𝑒 𝑔,𝑔 !!!!! , 𝑖𝑓 𝑏 = 1𝑒 𝑔,𝑔 !! , 𝑖𝑓 𝑏 = 0

,

where all elements 𝜃! are uniformly and independently chosen random numbers from ℤ!.

Then we make the assumption that there exists a polynomial-time adversary 𝒜1 who has a non-negligible advantage in Game 1. With the help of 𝒜1 we are then able to construct another polynomial-time adversary 𝒜2 who has a non-negligible advantage in Game 2. In our previous work [21], it has been showed that Game 2 is secure under polynomial-time adversary. Then, we can draw a conclusion that the ABE used in our scheme is provable secure. Next, we show how to construct 𝒜2 from 𝒜1.

Given now an adversary 𝒜1 that has an advantage 𝜖 in Game 1, we can construct 𝒜2 as follows: in the phases Setup, Phase 1, and Phase 2, 𝒜2 forwards all messages he receives from 𝒜1 to the challenger (of the Game 2) and all messages from the challenger to 𝒜1 . In the Challenge phase, 𝒜2 receives two messages 𝑀! and 𝑀! from 𝒜1 and the challenge 𝐶 , which is either 𝑒 𝑔,𝑔 !!!!! or 𝑒 𝑔,𝑔 !! , from the challenger 𝒞. Now 𝒜2 has to play the role of the challenger in Game 1 and therefore he flips a coin 𝛽 and sends 𝐶! ≔ 𝑀! ∙ 𝐶 to 𝒜1. When 𝒜1 outputs a guess 𝛽!, 𝒜2 outputs as its own guess 1 if 𝛽! = 𝛽, or 0 if 𝛽! ≠ 𝛽. If 𝐶 = 𝑒 𝑔,𝑔 !!!!!, then 𝒜2 ’s challenge (in the game against 𝒜1 ) is 𝐶! ≔ 𝑀! ∙𝑒 𝑔,𝑔 !!!!!, which is a random encryption of 𝑀! under the public keys 𝑝𝑘_ 𝐿𝑇, 𝑢 , and consequently 𝒜1 has advantage 𝜖 of guessing the correct 𝛽! = 𝛽 . It follows that 𝒜2 has the same advantage in its own game. If 𝐶 = 𝑒 𝑔,𝑔 !!, then the challenge 𝐶! is nominally dependent of 𝛽 but in fact 𝐶! could result from each of the messages 𝑀! and 𝑀!, with a suitable choice of the parameter 𝜃!. This implies that 𝒜1 cannot have any advantage in guessing 𝛽 so the advantage of 𝒜2 is also 0. Thus, the overall advantage of 𝒜2 is !

!𝑃𝑟 𝛽! = 𝛽|𝑏 = 1 +

!!𝑃𝑟 𝛽! ≠ 𝛽|𝑏 = 0 − !

!= !

!!!+ 𝜖 + !

!!!− !

!= !

!𝜖.

Now the existence of any 𝒜1 having a non-negligible advantage in Game 1 implies the existence of an adversary 𝒜2 who succeeds with non-negligible advantage as well in Game 2. However, in [21], it is shown that no polynomial time adversary can have a non-negligible advantage in Game 2. So we can conclude that no 𝒜1 can have non-negligible advantage in Game 1.

According to the analysis above, we can conclude that the data confidentiality of our proposed scheme is provably secure under the protection of ABE.

B. Performance Analysis Computation Complexity

We analyze the computation complexity of the following operations: setup, CP-ABE user key generation, PRE user key generation, individual trust public key and secret key generation, re-encryption key generation and re-encryption, encryption and decryption, as well as revocation.

The setup and key generations, including the generation of the CP-ABE user key pair, the PRE user key pair and the re-encryption key, are not affected by either the specified access policy or attributes. Therefore, the computation complexity of the above operations is 𝒪 1 .

When individual trust level is considered in the access authorization, the data owner needs to generate the individual Trust Level public key for encryption and issue the private key to eligible data requesters. The computation complexity of TL public key generation depends on the total number of specified TL levels, thus the complexity is 𝒪 2𝐼!" , where 𝐼!" refers to the maximum number of TL levels. Note that each level of TL public key generation contains two exponentiations. The TL private key issuing is only related to the authorized attribute, and the computation complexity is 𝒪 1 .

The encryption contains several parts: Encrypt, Encrypt0 and Encrypt1. The first is the encryption of the data using symmetric key 𝐾, and the rest is the encryption of partial key using either CP-ABE or PRE, or both depending on the data owner’s access policy. The complexity of Encrypt depends on the size of the underlying data and it is inevitable in any cryptographic method. The complexity of Encrypt0 and Encrypt1 depends on the data owner’s policy on key division and the required TL level in the access policy. For each CP-ABE encryption operation, the complexity is 𝒪 𝐿 , where L is the number of conjunction in the specified access policy and 𝐿 ≤ 𝐼!". For each PRE encryption operation that contains two exponentiations, the complexity is 𝒪 1 . For n pieces of partial keys for RC management, the complexity is 𝒪 𝑛 .

The Decryption also contains two parts. One is decrypting divided pieces of encrypted partial keys, and the other is the decryption of the data using the plain key 𝐾 . For each decryption operation in either CP-ABE or PRE, the complexity is 𝒪 1 . Thus the total computation complexity of Decryption depends on the number of divided key pieces, i.e., 𝒪 𝑛 + 2 .

The computation complexity for applying the first approach of revocation is 𝒪 1 since there is no need to calculate new keys and perform encryption. However, communications are




11

needed between the CSP and the data owner and/or the RCs. The computation complexity for applying the second approach of revocation is 𝒪 𝐿 , where L is the number of conjunction in the ABE. In addition, communications are needed between the data owner, CSP and RCs. In the third approach, the computation complexity is 𝒪 𝐿 + 𝑛 , where n is the number of divided pieces of the symmetric key for RC management. Obviously, the computation complexity of our scheme is more efficient than existing work [10, 14, 15], especially for the first approach.

Table II summarizes the computation complexity of each system operation in our proposed scheme and compares it with two existing schemes: a KP-ABE based scheme [13] and a CP-ABE based scheme [22]. Considering the value of n and L is small in practice, e.g., n = 1 or 2, L = 5, our scheme is efficient with essential flexibility.

TABLE II. COMPUTATION COMPLEXITY

Operation Our scheme HASBE [22] Yu’s scheme [13] Setup

User Grant Encryption Decryption

User Revocation

𝒪 1 𝒪 1 + 𝑛 𝒪 𝐿 + 𝑛 𝒪 𝑛 + 2

𝒪 1 or 𝒪 𝐿 or 𝒪 𝐿 + 𝑛

𝒪 1 𝒪 2𝑀 + 𝑆 𝒪 2 Y + X

varied 𝒪 1

𝒪 Y 𝒪 Y 𝒪 S

𝒪 max ( Y ,N) 𝒪 Y

𝐼!": The maximum number of individual Trust Levels n: The number of divided pieces of the symmetric key for RC management L: The number of conjunction in specified access policy, 𝐿 ≤ 𝐼!" Y: The number of leaf nodes in an access policy tree S: The attribute set M: The number of attributes in S X: The set of translating nodes of access policy tree N: The number of group multiplication operations Communication Cost

The main cost of communications includes the transmission of the cipher text and the issue of TL private key and re-encryption keys. The cipher text transmission is inevitable in a cryptographic method. The cost of the latter part is reasonable, since the TL private key only contains one type of attribute and it is not needed every time if the access right of the user is legitimate and the data owner does not revoke the user right. Issuing the re-encryption key happens between RC and CSP, which is not repeated for each data if the re-encryption key has been issued and the user is still eligible. Additionally, the communication cost can be flexibly adjusted because the data owner can choose to use either of two kinds of access control methods handled by itself or RCs.

C. Implementation and Evaluation We implemented the proposed scheme based on Pairing

Based Cryptography (PBC) Library [27], MIRACL and JHU-MIT Libraries. The experiments were conducted on a workstation with Intel Xeon CPU E31235 and 2-GB RAM, running Ubuntu 12.04 on Oracle VirtualBox. In the experiment, we set 𝐼!" = 5.

Figure 3 shows the execution time of CP-ABE setup, CP-ABE key pair generation, PRE key pair setup and generation, TL public/secret key generation (𝐼!" = 5), and re-encryption key generation. The execution time of these operations except TL public key generation is not affected by

either the user’s preference of key division or the required individual TL. This fact consists with the analysis result shown in Table II. The PRE key pair generation takes longer time than others, about 58 milliseconds.

Fig.3: Execution time of CP-ABE setup, CP-ABE key pair generation, PRE key pair setup and generation, TL public key (I!" = 5) generation, TL secret key generation, and re-encryption key generation

The TL public key generation process varies with different number of maximum trust levels, shown in Figure 4. The TL public key generation time is changed linearly with the maximum number of trust levels. The execution time of TL secret key generation stays constant and it is about 3 milliseconds, which implies that the TL secret key issuing should be very efficient.

Fig.4: Execution time of CP-ABE TL public key and secret key generation with different maximum TL levels

Figure 5 shows the execution time of reputation generation with policy check and trust evaluation by applying the algorithms described in [29, 30]. We observe that the number of votes used in the generation influences the execution time of reputation generation at RC mainly. We also find that the processing time of individual trust evaluation is very low (refer to Figure 5(b)), which implies that the computation load is reasonable for data owners even though the number of evaluation requests is very big.




12

(a)

(b) Fig.5: (a) Execution time of reputation generation and policy check; (b) Execution time of trust evaluation

(a)

(b)

Fig.6: (a) CP-ABE encryption time of AES keys; (b): CP-ABE decryption time of AES keys

In the implementation, we used AES for symmetric encryption and tested three different sized AES keys: 128-bit, 192-bit and 256-bit. Figure 6 shows the CP-ABE encryption and decryption time of each sized AES key, regarding to different access policies (i.e., authorized individual TLs). We find that the AES key size has no much effect on the performance of CP-ABE encryption and decryption. For different individual TLs requested for data access, the encryption time varies because different numbers of authorized TLs are enabled in the access policy. The higher the required TL is, the less time the encryption process spends, shown in Figure 6(a). But the decryption time is consistent around 6.50 milliseconds, shown in Figure 6(b).

Figure 7 presents the performance of PRE operations including encryption, decryption and re-encryption. We observe that the PRE operations are also not clearly affected

by the size of (partial) AES key. This fact could benefit the data owners to choose a suitable sized symmetric key to satisfy its security requirement.

The re-encryption key generation can be skipped at RC if the re-encryption key has been already generated and the user’s reputation remains. Figure 8 compares the processing time at RC in two cases: with the re-encryption key generation in each request and without generation by fetching it from a previously stored record. The processing time includes access policy check, reputation generation and re-encryption key generation. We observed that the higher the number of requests from the requesters that have the re-encryption key issued by RC, the more time can be saved. Because a user could access cloud services many times in a same context, skipping the re-encryption key generation can greatly improve the efficiency and capacity of our scheme.

Fig.7: Execution time of PRE operations

Fig.8: Time comparison with rk_RC→u key generation for each request and without rk_RC→u key generation for old entities

D. Further Discussions Flexibility and comprehensiveness: The scheme supports

various control strategies. The data owner can set access control strategies through the way of data and key encryption. It supports hybrid access control based on either individual trust or public reputation or both. Either the data owner, the reputation centers or both can participate in the data access control, which is decided by the data owner. Free control of access can also be supported without changing the system design by setting 𝐾! = 𝐾! = 𝐾 = 𝑛𝑢𝑙𝑙. The proposed scheme




13

doesn’t request the data owner to be always online. In this case, one or multiple RCs can delegate the data owner to control data access based on reputation. Our scheme offers a comprehensive and flexible solution to support various scenarios and different data access policies or strategies.

Efficiency: Due to large-scale data management, CSP’s computational load should not be heavy from its efficiency point of view. Our scheme can release the re-encryption load of CSP. If the re-encryption has been conducted and the reputation of the data requestor remains, CSP doesn’t need to repeat this operation. In addition, there is no need for the CSP to re-encrypt the data on behalf of the data owner. We apply a greylist to control access at the CSP when a user is revoked or re-authorized.

Multi-dimensional access control: In the proposed scheme, data access is controlled by the trust individually evaluated by the data owner, and/or public reputations evaluated by one or more RCs. Note that other control attributes or reputation properties can be applied in the scheme, one example implementation approach is applying ABE to introduce new control attributes by the data owner and adopting multiple RCs to control different attributes or reputation properties in different contexts. A more efficient way is inducing the control attributes and reputation properties into the trust and reputation evaluation algorithms. In both methods, there is no need to change the structure of the proposed scheme.

Privacy: The proposed scheme supports data storage at CSP in a secure way and enhances user data privacy by hiding the plain data from the CSP and RCs. It is hard for the CSP to know the plaintext of the user data. Valid access is only allowed to the system entities that are trusted by the data owner and/or reputable based on public evidence even though the data owner may not have any direct experiences or interactions with them. If the data owner wants to control its data access directly, RC only knows a partial key at most. In this case, even though CSP and RC really collude, it is still impossible for the RC to know the complete key and get the plain data.

VII. CONCLUSION In this paper, we proposed a scheme to control cloud data

access based on trust and reputation. The scheme incorporates with a trust/reputation management framework for securing cloud computing by applying ABE, PRE and a reputation-based revocation mechanism. Our scheme can flexibly support controlling cloud data access based on trust and reputation in order to support various access strategies and scenarios. Meanwhile, it also achieves low communication and computation costs. The cloud service can be automatically secured since the related cryptographic keys can be automatically generated, issued and managed based on trust evaluation and/or reputation generation. We formally proved the security of the proposed scheme based on the security of ABE and PRE. Extensive analysis, comparison with existing work, and scheme implementation further show that our

scheme is highly efficient, very flexible and provably secure under the existing security model.

Regarding the future work, we plan to apply our scheme in real applications of cloud data protection in eHealth services and Internet of Things.

REFERENCES [1] R. Chow, et al., “Controlling data in the cloud: outsourcing computation

without outsourcing control”, Proc. of the ACM Workshop on Cloud Computing Security, 2009, pp. 85–90.

[2] S. Kamara, K. Lauter, “Cryptographic cloud storage”, Proc. of Financial Cryptography and Data Security (FC), 2010, pp. 136–149.

[3] Q. Liu, C. Tan, J. Wu, G. Wang, “Efficient information retrieval for ranked queries in cost-effective cloud environments”, Proc. of INFOCOM, 2012, pp. 2581-2585.

[4] M. Kallahalla, et al., “Plutus: Scalable secure file sharing on untrusted storage”, Proc. of the USENIX Conference on File and Storage Technologies (FAST), 2003, pp. 29–42.

[5] E. Goh, H. Shacham, N. Modadugu, D. Boneh, “Sirius: Securing remote untrusted storage”, Proc. of NDSS, 2003, pp. 131–145.

[6] J. Bethencourt, A. Sahai, B. Waters, “Ciphertext-policy attribute based encryption”, Proc. of IEEE S&P, 2007, pp. 321–334.

[7] V. Goyal, O. Pandey, A. Sahai, B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data”, Proc. of the 13th ACM CCS, 2006, pp. 89–98.

[8] S. Muller, S. Katzenbeisser, C. Eckert, “Distributed attribute-based encryption”, Proc. of the 11th Annual Int. Conf. on Information Security and Cryptology, 2008, pp. 20–36.

[9] A. Sahai, B. Waters, “Fuzzy identity-based encryption”, Proc. of 24th International Conference on the Theory and Application of Cryptographic Techniques, 2005, pp. 457–473.

[10] M. Pirretti, P. Traynor, P. McDaniel, B. Waters, “Secure attribute based systems”, Journal of Computer Security, vol. 18, no. 5, pp. 799–837, 2010.

[11] M. Blaze, G. Bleumer, M. Strauss, “Divertible protocols and atomic proxy cryptography”, Proc. of EUROCRYPT, 1998, pp. 127–144.

[12] M. Green, G. Ateniese, “Identity-based proxy re-encryption”, Proc. of ACNS, 2007, pp. 288–306.

[13] S. Yu, C. Wang, K. Ren, W. Lou, “Achieving secure, scalable, and fine-grained data access control in cloud computing”, Proc. of the IEEE INFOCOM, 2010, pp. 534–542.

[14] G. Wang, Q. Liu, J. Wu, M. Guo, “Hierarchical attribute-based encryption and scalable user revocation for sharing data in cloud servers”, Computers & Security, vol. 30, no. 5, pp. 320–331, 2011.

[15] S. Yu, C. Wang, K. Ren, W. Lou, “Attribute based data sharing with attribute revocation”, Proc. of the ACM ASIACCS, 2010, pp. 261–270.

[16] Z. Yan (ed.), Trust Modeling and Management in Digital Environments: from Social Concept to System Development, IGI Global, Hershey, Pennsylvania, 2010.

[17] Z. Yan, “A Comprehensive Trust Model for Component Software”, IEEE SecPerU’08, Italy, 2008, pp. 1-6.

[18] G. Wang, Q. Liu, J. Wu, “Hierarchical attribute-based encryption for fine-grained access control in cloud storage services”, Proc. of the 17th ACM CCS, 2010, pp. 735–737.

[19] M. Zhou, Y. Mu, W. Susilo, J. Yan, “Piracy-preserved access control for cloud computing”, Proc. of IEEE TrustCom11, 2011, pp. 83-90.

[20] G. Ateniese, K. Fu, M. Green, S. Hohenberger, “Improved proxy re-encryption schemes with applications to secure distributed storage,” Proc. of the 12th Annual Network and Distributed System Security Symposium, 2005, pp. 29–43.

[21] Z. Yan, M. Wang, V. Niemi, R. Kantola, “Secure pervasive social networking based on multi-dimensional trust levels”, IEEE CNS 2013, 2013, pp.100-108.

[22] Z. Wan, J. Liu, R.H. Deng, “HASBE: a hierarchical attribute-based solution for flexible and scalable access control in cloud computing”,




14

IEEE Trans. on Info. Forensics & Security, vol. 7, no. 2, pp. 743-754, 2012.

[23] Z. Yan, Y. Chen, Y. Shen, “A practical reputation system for pervasive social chatting”, Computer and System Sciences, vol. 79, no. 5, pp. 556-572, 2013.

[24] Z. Yan, Trust Management in Mobile Environments – Usable and Autonomic Models, IGI Global, Hershey, Pennsylvania, 2013.

[25] G. Ateniese, K. Fu, M. Green, S. Hohenberger, “Improved proxy re-encryption schemes with applications to secure distributed storage,” in Proc. of the 12th Annual Network and Distributed System Security Symposium, 2005, pp. 29–43.

[26] G. Ateniese, K. Fu, M. Green, S. Hohenberger, “Improved proxy re-encryption schemes with applications to secure distributed storage,” ACM Trans. on Information and System Security, vol. 9, no. 1, pp.1-30, February 2006.

[27] Pairing-Based Cryptography (PBC) library. Available: http://crypto.stanford.edu/pbc/

[28] Y. Tang, P.P.C. Lee, J.C.S. Lui, R. Perlman, “Secure overlay cloud storage with access control and assured deletion,” IEEE Trans. on Dependable and Secure Computing, vol. 9, no. 6, pp. 903-916, 2012.

[29] Z. Yan, X. Li, R. Kantola, “Personal data access based on trust assessment in mobile social networking”, in Proc. of IEEE TrustCom2014, 2014, pp. 989 - 994.

[30] Z. Yan, X. Li, R. Kantola, “Controlling cloud data access based on reputation”, Mobile Networks and Applications, Springer, 2015, Doi: 10.1007/s11036-015-0591-6.

[31] L. Zhou, V. Varadharajan, M. Hitchens, “Achieving secure role-based access control on encrypted data in cloud storage”, IEEE Trans. on Information Forensics and Security, vol. 8, no. 12, pp. 1947-1960, 2013.

[32] W. Wang, J. Han, M. Song, X. Wang, “The design of a trust and role based access control model in cloud computing”, in Proc. of 6th International Conference on Pervasive Computing and Applications, 2011, pp. 300-334.

[33] T. Zhu, W. Liu, J. Song, “An efficient role based access control system for cloud computing”, Proc. of IEEE CIT2011, 2011, pp. 97-102.

[34] S. Yang, P. Lai, J. Lin, “Design role-based multi-tenancy access control scheme for cloud services”, Proc. of International Symposium on Biometrics and Security Technologies, 2013, pp. 273-279.

[35] A. Barsoum, A. Hasan, “Enabling dynamic data and indirect mutual trust for cloud computing storage systems”, IEEE Trans. on Parallel and Distributed Systems, vol. 24, no. 12, pp. 2375-2385, 2013.

[36] G. Lin, D. Wang, Y. Bie, M. Lei, “MTBAC: a mutual trust based access control model in cloud computing”, China Communications, vol. 11, no. 4, pp. 154 – 162, 2014.

[37] K. Yang, X. Jia, K. Ren, B. Zhang, R. Xie, “DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems”, IEEE Trans. on Information Forensics and Security, vol. 8, no. 11, pp. 1790-1801, 2013.

[38] C. Ardagna, M. Conti, M. Leone, J. Stefa, “An anonymous end-to-end communication protocol for mobile cloud environments”, IEEE Trans. on Services Computing, vol. 7, no. 3, pp. 373-386, 2014

[39] M. Ambrosin, M. Conti, T. Dargahi, “On the feasibility of attribute-based encryption on smartphone devices”, Proc. of IoT-Sys’15, 2015, pp. 49-54.

Zheng Yan (M’06, SM’14) received the BEng degree in electrical engineering and the MEng degree in computer science and

engineering from the Xi’an Jiaotong University, Xi’an, China in 1994 and 1997, respectively, the second MEng degree in information security from the National University of Singapore, Singapore in 2000, and the licentiate of science and the doctor of science in technology in electrical engineering from Helsinki University of Technology, Helsinki, Finland in 2005 and 2007. She is currently a professor at the Xidian University, Xi’an, China and a visiting professor at the Aalto University, Espoo, Finland. She authored more than 100 publications and solely authored two books. She is the inventor and co-inventor of 37 patents and patent applications. Her research interests are in trust, security and privacy, social networking, cloud computing, networking systems, and data mining. Prof. Yan serves as an organization and program committee member for numerous international conferences and workshops. She is a senior member of the IEEE.

Xueyun Li received the BSc degree in electrical engineering from Beijing Jiaotong University, Beijing, China, and the second degree in Computer Engineering from Mid Sweden University, Sweden in 2011. She received the MSc degree from the Department of Communications and Networking, Aalto University, Espoo,

Finland. Her research interests are in cloud computing security and privacy.

Mingjun Wang received the BSc degree in communication and information systems from Henan Normal University, Xinxiang, China, 2011. He is currently a PhD student major in information security at the Xidian University, Xi'an, China. His research interests are in security, privacy and trust management in social networking, 5G and

cloud computing.

Athanasios V. Vasilakos (M’00–SM’11) is currently a professor with Lulea University of Technology, Sweden. He served or is serving as an Editor or/and Guest Editor for many technical journals, such as the IEEE Transactions on Network and Service Management; IEEE Transactions on Cloud

Computing, IEEE Transactions on Information Forensics and Security; IEEE Transactions on Cybernetics; IEEE Transactions on Information Technology in Biomedicine; ACM Transactions on Autonomous and Adaptive Systems; IEEE Journal on Selected Area in Communications. He is also a General Chair of the European Alliances for Innovation (www.eai.eu).

flexible data access

Documents