Here
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
CLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING
RELIABLE RE-ENCRYPTION
Chandrala DN 1 , Kulkarni Varsha2
1
2
Chandrala DN, M.tech IV sem,Department of CS&E, SVCE, Bangalore
Kulkarni Varsha, Asst. Prof. Department of CS&E, SVCE, Bangalore
ABSTRACT
In this paper, we propose a time-based re-encryption scheme using attribute-based encryption
(ABE). This scheme is best suited for efficient data retrieval from the cloud, which enables the cloud to
automatically re-encrypt the data based on the internal clock. It prevents the revoked users from decrypting
the data using their old decryption keys. The naive solution is built on Attribute Based Encryption, an
efficient data retrieval scheme that allows fine-grain access control based on internal clock of the server.
Keywords-Attribute-based encryption, cloud computing, proxy re-encryption
1. INTRODUCTION
Cloud is a distributed system where there are many cloud servers. In cloud environment the data
owner’s data is stored on multiple cloud servers. The cloud computing usage is rapidly growing because of the
cost savings from outsourcing data to cloud service provider (CSP). A technique to protect the data from
untrusted CSP is, the data owner to encrypt the outsourced data [1][2]. A Flexible encryption scheme like
attribute based encryption (ABE) [3][4] is used, that provides fine-grained access control.
ABE is first introduced by Sahai and Waters, provides a mechanism that ensures even when the storage
is compromised, the loss of information will be minimal. ABE binds the access control policy to the data and
users instead of having a server mediating access to files. In ABE, it encrypts the data using an access structure
with different attributes. The user issues their attribute keys instead of decryption keys for specific files.
Attributes of the user should satisfy the access structure to decrypt a particular file. For example, a file is
encrypted using access structure {(a ∧ b) ∨ c } it means that either a user with attributes a and b, or a user with
attribute c, can decrypt the file.In a secure cloud computing, the data will be stored in the encrypted form and
issue the decryption
keys to the authorized user. The problem in cloud lies in revoking access rights from
users, whose permission is taken back, will still retain the earlier keys and they can still decrypts data in the
cloud. A solution to this is to let the data owner to re-encrypt the data immediately, so that the revoked users
cannot decrypt the data by using their old decryption keys. While distributing new keys to the remaining
authorized users, it may lead to performance bottleneck where there is frequent users revocation.
An alternative solution is to apply the proxy re-encryption (PRE) technique. PRE takes the advantage
of the abundant resources from cloud by delegating the cloud to re-encrypt data [8], this approach is also known
as command-driven re-encryption scheme, where cloud servers perform re-encryption while receiving
commands from the data owner.
Fig.1: A Typical Cloud Environment
In Fig. 1, which should be propagated to CS1, CS2, and CS3? Due to a network outage, CS2 did not receive the
command, and did not re-encrypt the data. At this time, if revoked users query CS2, they can obtain the old
cipher text, and can decrypt it using their old keys.
IJRISE| www.ijrise.org|[email protected][142-146]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
A better solution is to allow each cloud server to independently re-encrypt data without receiving any
command from the data owner. In this paper, we prop ose a secure re-encryption scheme in untrusted cloud. It is
a time based re-encryption scheme, it enables cloud server to automatically re-encrypt the data based on server
internal clock. The secure re-encryption in untrusted cloud combines the data with an access control and an
access time. Each user is issued with a key that are associated with an attribute and attribute effective time. The
data can be decrypted by the users using the keys with attribute effective time. The data owner and the CSP
share a secret key, in which each cloud server can re-encrypt data by updating the data access time according to
the cloud environment. A cloud is a distributed system, where a data owner’s data is replicated on multiple
servers for fast availability. The cloud as a distributed system experiences failures commonly, such as server
crashes and network outages. So the re-encryption commands sent by the data owner may not propagate to all
the cloud servers in a timely fashion.
The proposed scheme is reliable re-encryption in unreliable clouds (R3 scheme for short) it is a timebased re-encryption scheme that enables the cloud server to automatically re-encrypt the data based on its
internal clock. In proposed scheme the data is associated with access structure and access time. The keys
generated and issued to users are associated with attributes and attribute effective time. The data is decrypted by
the users using the keys that are associated with attributes satisfying the access structure, and attrib ute effective
time. The main contributions of this paper are as follows:
We propose an automatic, time-based, proxy re-encryption scheme suitable for cloud environment with
unpredictable server crash and network outages.
We extend an ABE scheme by incorporating timestamps to perform proxy re-encryption.
Our solution does not require perfect clock synchronization among all the cloud servers to maintain
correctness.
2. RELATED WORK
Many researchers have proposed storing encrypted data in the clou d to define against the CSP [1][2].
Under this approach, users are revoked by having a third party to re-encrypt data such that previous keys can no
longer decrypt any data [8]. The solution by [8] for instance, lets the data owner issues a re -encryption key to an
untrusted server to re-encrypt the data. Their solution utilizes PRE [8], which allows the server to re-encrypt the
stored cipher text that can only be decrypted using a different key. During the process, the server does not learn
the content of the cipher text or the decryption keys.
A Hierarchical Attribute-Based Encryption (HABE) model is combining a HIBE system and a CPABE system, to provide fine-grained access control and full delegation. Our scheme relies on time to re-encrypt
data. However, in a cloud, the internal clock of each cloud server may differ. There have been several solutions
to this problem. For instance, proposed a probabilistic synchronization scheme, for reading remote clocks in
networks subject to unbounded random message delays. The method can be used to improve the precision of
both internal and external synchronization algorithms. Message delay used to synchronize the clocks of their
host processors, time server processors communicate among themselves by sending messages via
communication networks.
3. PRELIMINARY
A) System model
The system consists of following subsystems.
Data owner: Data owner will upload the files to the cloud and can update the contents of the file. It uses
ABE to generate the keys for encrypting the file and stores in the cloud.
Data User: The Data user requests for the particular file from cloud, the ABE generates keys for
decryption and the user downloads the file.
Cloud Storage Server: The encrypted data and keys will be stored in the cloud server, based o n server time it
re-encrypts the file and stores in cloud.
IJRISE| www.ijrise.org|[email protected][142-146]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
B) Design model
The main design goal is to protect the data in the cloud and providing security to data. The security
requirements of R3 scheme are:
1. Access control correctness: A data user with valid keys can only decrypt the file.
2. Data consistency: The data user requests for a particular file F, should get the same contents in same time
slice.
3. Data confidentiality: The contents of the file should be known only to the user with valid keys.
4. Efficiency: The cloud server should not re-encrypt the file without any data user request.
C) Adversary model
There are two types of adversaries in this system: CSP and malicious user. The CSP adversary is honest but
it is curious, it executes the protocol correctly but it tries to get additional information about the stored data. It
tries to learn the contents of the file that he is unauthorized to access. The adversary possesses invalid keys with
incorrect attributes or time slice. The CSP and malicious adversaries may exist together.
3.1 Basic R3 Scheme
In basic R3 scheme, the ideal condition is considered when the data owner and all the cloud servers share a
synchronized clock and there should not be any transmission and queuing delays while executing read and write
commands.
A. Intuition
At first, the data owner generates a shared secret key to the CSP, the data owner encrypts file with
appropriate attribute structure and time slice and the data owner will uploads the file to t he cloud. The CSP will
send copy of the file to many cloud servers which stores an encrypted file F with A and TSi. When a user
queries the cloud server, the cloud server first uses its own clock to determine the current time slice and
Assumes that the current slices is TSi+K, then the cloud server will automatically re-encrypted F with TSi+K
without receiving any command from the data owner. During the process, the cloud server cannot learn or gain
the contents of the cipertext and the decryption keys. Only users with keys satisfying A and TSi+K can decrypt
the file F.
B. Protocol Description
The proposed R3 scheme relies on the following functions.
1)Setup ->(Public Key, Master Key, s) : At TS0, the data owner publishes the system public key and the
system master key remains as secret. And send the shared secret keys to the cloud.
2)KeyGerenate(Public Key, Master key, s ,Public key of user, Attribute, Time) -> (Secrete Key of user,
{Secrete Key period of user, Attribute}): If data owner wants to grant data user attributes with valid time period,
the data owner generates Public key of user and {Secrete Key period of user, Attribute} using the system public
key, the system master key, the shared secret key, user’s public key, user’s attributes and eligible time.
3)Encryption(public key, AccessStructure, s, TSt, File) -> (cipher text) :At time slice Tst, the data owner
encrypts file with access structure , and produces cipher text using the system public key, time slice, and plain
text file.
4)Decryption(Public Key, Cipher text, Secret key of user {secret key time of user, aij} 1<=j<=n ) -> File : At
particular time slice TSt and the user U, who possesses version t attribute secret keys on all attributes in CCi,
recovers the file by using the system public key, the user identity secret key, and the user attribute secret keys.
5)Re-Encryption(cipher text, s, TSt+k)-> Ct+k A : When the cloud server wants to return a data user with the
file at TSt+k, it updates the ciphertext from CtA to Ct+KA using the shared secret key.
The basic R3 description is divided into three stages: data owner initialization, data user read data and the data
owner write data.
1) Data owner initialization: The data owner is an interface for the file uploaders. First it runs the Setup function
to initiate the system. If the data owner wants to upload a file F to the cloud means, at first it defines an access
IJRISE| www.ijrise.org|[email protected][142-146]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
control A for file F, and determines the current time slice TSi. At last it runs the Encryption function with A and
TSi to output the ciphertext. When the data owner wants to grant a set of attributes in a period of time to data
user, it runs the KeyGenerate function with attributes and effective time to generate keys to the user.
2) Data user read data: Data user is an interface for the file downloader, If the data user wants to access file F at
time period of TSi, then the user sends a read command R(F) to the cloud server. Afte r receiving the read
command R(F),the cloud server runs the Re-Encryption function to re-encrypt the file with time period TSi. On
receiving ciphertext, the user runs the Decryption function using keys that satisfy A and TSi to recover F.
3) Data owner write data: When the data owner wants to write file F at TSi, then it will send a write command to
the cloud server as W(F, seqnum), where seqnum is the order of the write command, it is necessary for ordering
when data owner issues multiple write commands that has to take place in one time slice. After receiving the
write command, the cloud server will commit it at the end of time period TSi.
4 .SECURITY ANALYSIS
The Encrypt algorithm in the Time scheme is the same as the Encryption algorithm in HABE that has
been proven to be semantically secure. Therefore, we consider that the time scheme is secure if the following
propositions hold:
Proposition1. The keys produced by the KeyGenerate algorithm are secure.
Proposition2. The cipher text produced by the Re-Encrypt algorithm is semantically secure.
Proposition3. Given the root secret key and the original cipher text, the CSP can know neither the underlying
data, while executing re-encryption.
Algorithm: Extended R3 (Asynchronized clock with delays)
While Receive write commands W (F, ti+1, seqnum) do
If Current time is earlier than ti+1 + α then
Build Window i for file F
Commit write command in Window i at ti+1 + α
Else
Reject the write command
Inform the data owner to send write command earlier
While Receive a read request R (F, T Si) do
If Current time is later than ti+1 + α then
Re-encrypt the file in Window i with T Si
Else
Hold on the read command until ti+1 + α
Access control correctness: It is clear that the correctness of access control is most vulnerable when a TS
changes. Let us take an example of the case where Alice has keys with effective time up to TSi, and Bob has
keys with effective time starting from TSi+1.Where assuming that the data owner updates file F to F’ such that a
user querying the file at TSi should obtain F, and a user querying the file at TSi+1 should obtain F’. The
property of access control correctness fails if Alice is able to read F, or if Bob is able to read F.
Data consistency: This property requires users that query within the same TS must receive the same data. Let us
assume that both Alice and Bob have valid keys for the appropriate time slices, and we now want to show that
so long as both Alice and Bob query within the same time slice, they must obtain the same data.
Data confidentiality: In R3 scheme, we only store encrypted data in the cloud. Since this scheme preserves the
data confidentiality operations from HABE scheme, and retain the same confidentiality properties, the cloud
without knowledge of keys cannot learn any useful information about the stored data.
Data efficiency: The cloud server does not re-encrypt a file until a data user requests that file. In the function
Re-Encrypt, when k>1, the cloud server can combine the re-encrypt operations until receiving a file access
request.
IJRISE| www.ijrise.org|[email protected][142-146]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
5 .EXPERIMENTAL RESULT
This section provides brief description about the implementation of proposed system and result.
Implementation of proposed system is carried out using Java.
Snapshot 1 explains, the key generation for the file which is uploaded int o the cloud. It shows the random keys
generated for encryption in data owner module .Snapshot 2 shows the list of files that are uploaded to the cloud
by the Data owner, user can select the particular file and he can download the file. Snapshot 3 shows the
decryption of the file at the user end and the snapshot 4 shows the list of the files that are stored in the cloud,
which is Amazon S3 cloud.
Snapshot 1: Keys generation for Cloud
cloud
Snapshot 3: Decryption of file
Snapshot 2: List of files in
Snapshot 4: Files stored in Amazon S3 cloud
6. FUTURE ENHANCEMENT
In future, the data owner can issue a valid user a special seed value, where the user can generate keys
on his own. The challenge is to prevent the users from generating additional keys beyond their authorization.
7. CONCLUSION
In this paper, we proposed the time based scheme to achieve fine grained access control based on the
server’s internal clock. Our scheme does not rely on the cloud to reliably propagate re -encryption commands to
all servers to ensure access control correctness and our solution remains secure without perfect clock
synchronization as long as we bound the time difference between the server and the data owner.
IJRISE| www.ijrise.org|[email protected][142-146]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
REFERENCES
[1] S. Kamara and K. Lauter, “Cryptographic cloud storage,” Financial Cryptography and Data Security, 2010.
[2] M. Armbrust, A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, and I.
Stoica, “A view of cloud computing,” Communications of the ACM, 2010.
[3] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” Advances inCryptology–EUROCRYPT, 2005.
[4] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control
of encrypted data,” in Proc. Of ACM ,2006.
[5] Qin Liu, Chiu C. Tan, Jie Wu, and Guojun Wang “Reliable Re-encryption in Unr Unreliable Clouds” in
IEEE Globecom 2011 proceedings .
[6] N. Antonopoulos and L. Gillam, “Cloud Computing: Principles, Systems and Applications,” Springer
Publishing Company, 2010.
[7] A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” in Proc. of
ACM CCS, 2008.
[8] G. Wang, Q. Liu, and J. Wu, “Hierarchical attribute-based encryption for fine-grained access control in
cloud storage services,” in Proc. Of ACM CCS (Poster), 2010.
[9] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable, and fine -grained data access control in
cloud computing,” in Proc. of IEEE INFOCOM, 2010.
[10] F. Cristian, “Probabilistic clock synchronization,” Distributed Computing, 1989.
IJRISE| www.ijrise.org|[email protected][142-146]
© Copyright 2024