Multiuser access control searchable privacy‐preserving scheme in cloud storage

Searchable encryption scheme‐based ciphertext‐policy attribute‐based encryption (CP‐ABE) is a effective scheme for providing multiuser to search over the encrypted data on cloud storage environment. However, most of the existing search schemes lack the privacy protection of the data owner and have higher computation time cost. In this paper, we propose a multiuser access control searchable privacy‐preserving scheme in cloud storage. First, the data owner only encrypts the data file and sets the access control list of multiuser and multiattribute for search data file. And the computing operation, which generates the attribute keys of the users' access control and the keyword index, is given trusted third party to perform for reducing the computation time of the data owner. Second, using CP‐ABE scheme, trusted third party embeds the users' access control attributes into their attribute keys. Only when those embedded attributes satisfy the access control list, the ciphertext can be decrypted accordingly. Finally, when the user searches data file, the keyword trap door is no longer generated by the user, and it is handed to the proxy server to finish. Also, the ciphertext is predecrypted by the proxy sever before the user performs decryption. In this way, the flaw of the client's limited computation resource can be solved. Security analysis results show that this scheme has the data privacy, the privacy of the search process, and the collusion‐resistance attack, and experimental results demonstrate that the proposed scheme can effectively reduce the computation time of the data owner and the users.     

SecCloudSharing: Secure data sharing in public cloud using ciphertext‐policy attribute‐based proxy re‐encryption with revocation

An efficient cryptography mechanism should enforce an access control policy over the encrypted data to provide flexible, fine‐grained, and secure data access control for secure sharing of data in cloud storage. To make a secure cloud data sharing solution, we propose a ciphertext‐policy attribute‐based proxy re‐encryption scheme. In the proposed scheme, we design an efficient fine‐grained revocation mechanism, which enables not only efficient attribute‐level revocation but also efficient policy‐level revocation to achieve backward secrecy and forward secrecy. Moreover, we use a multiauthority key attribute center in the key generation phase to overcome the single‐point performance bottleneck problem and the key escrow problem. By formal security analysis, we illustrate that our proposed scheme achieves confidentiality, secure key distribution, multiple collusions resistance, and policy‐ or attribute‐revocation security. By comprehensive performance and implementation analysis, we illustrate that our proposed scheme improves the practical efficiency of storage, computation cost, and communication cost compared to the other related schemes.     

Secure and privacy‐preserving keyword search retrieval over hashed encrypted cloud data

Cloud computing (CC) is the universal area in which the data owners will contract out their pertinent data to the untrusted public cloud that permits the data users to retrieve the data with complete integrity. To give data privacy along with integrity, majority of the research works were concentrated on single data owner for secure searching of encrypted data via the cloud. Also, searchable encryption supports data user to retrieve the particular encrypted document from encrypted cloud data via keyword search (KS). However, these researches are not efficient for keyword search retrieval. To trounce such drawbacks, this paper proposes efficient secure and privacy‐preserving keyword search retrieval (SPKSR) system, in which the user retrieves the hashed encrypted documents over hashed encrypted cloud data. The proposed system includes three entities explicitly, (a) data owner (DO), (b) cloud server (CS), and (c) data users (DU). The owner outsources hashed encrypted documents set, along with generated searchable index tree to the CS. The CS hoards the hashed encrypted document collection and index tree structure. DU performs the “search” over the hashed encrypted data. Experimental results of the proposed system are analyzed and contrasted with the other existent system to show the dominance of the proposed system.     

A based on blinded CP‐ABE searchable encryption cloud storage service scheme

Cloud computing has great economical advantages and wide application, more and more data owners store their data in the cloud storage server (CSS) to avoid tedious local data management and insufficient storage resources. But the privacy of data owners faces enormous challenges. The most recent searchable encryption technology adopts the ciphertext‐policy attribute‐based encryption (CP‐ABE), which is one good method to deal with this security issue. However, the access attributes of the users are transmitted and assigned in plaintext form. In this paper, we propose a based on blinded CP‐ABE searchable encryption cloud storage service (BCP‐ABE‐SECSS) scheme, which can blind the access attributes of the users in order to prevent the collusion attacks of the CSS and the users. Data encryption and keyword index generation are performed by the data owners; meanwhile, we construct that CSS not only executes the access control policy of the data but also performs the pre‐decryption operation about the encrypted data to solve higher time cost of decryption calculation to the data users. Security proof results show that this scheme has access attribute security, data confidentiality, indistinguishable security against chosen keyword attack, and resisting the collusion attack between the data user and the CSS. Performance analysis and the experimental results show that this scheme can effectively reduce the computation time cost of the data owners and the data users.     

Secure‐aware and privacy‐preserving electronic health record searching in cloud environment

Cloud storage has become a trend of storage in modern age. The cloud‐based electronic health record (EHR) system has brought great convenience for health care. When a user visits a doctor for a treatment, the doctor may be necessary to access the history health records generated at other medical institutions. Thus, we present a secure EHR searching scheme based on conjunctive keyword search with proxy re‐encryption to realize data sharing between different medical institutions. Firstly, we propose a framework for health data sharing among multiple medical institutions based on cloud storage. We explore the public key encryption with conjunctive keyword search to encrypt the original data and store it in the cloud. It ensures data security with searchability. Furthermore, we adopt the identity‐based access control mechanism and proxy re‐encryption scheme to guarantee the legitimacy of access and the privacy of the original data. Generally speaking, our work can achieve authentication, keyword privacy, and privacy preservation. Moreover, the performance evaluation shows that the scheme can achieve high computational efficiency.     

区块链上基于云辅助的密文策略属性基数据共享加密方案

针对云存储的集中化带来的数据安全和隐私保护问题,该文提出一种区块链上基于云辅助的密文策略属性基(CP-ABE)数据共享加密方案。该方案采用基于属性加密技术对加密数据文件的对称密钥进行加密,并上传到云服务器,实现了数据安全以及细粒度访问控制;采用可搜索加密技术对关键字进行加密,并将关键字密文上传到区块链(BC)中,由区块链进行关键字搜索保证了关键字密文的安全,有效地解决现有的云存储共享系统所存在的安全问题。该方案能够满足选择明文攻击下的不可区分性、陷门不可区分性和抗串联性。最后,通过性能评估,验证了该方案的有效性。     

Trapdoor Security Lattice-Based Public-Key Searchable Encryption with a Designated Cloud Server

Cloud storage technique has becoming increasingly significant in cloud service platform. Before choosing to outsource sensitive data to the cloud server, most of cloud users need to encrypt the important data ahead of time. Recently, the research on how to efficiently retrieve the encrypted data stored in the cloud server has become a hot research topic. Public-key searchable encryption, as a good candidate method, which enables a cloud server to search on a collection of encrypted data with a trapdoor from a receiver, has attracted more researchers’ attention. In this paper, we propose the frist efficient lattice-based public-key searchable encryption with a designated cloud server, which can resist quantum computers attack. In our scheme, we designate a unique cloud server to test and return the search results, thus can remove the secure channel between the cloud server and the receiver. We have proved that our scheme can achieve ciphertext indistinguishability under the hardness of learning with errors, and can achieve trapdoor security in the random oracle model. Moreover, our scheme is secure against off-line keyword guessing attacks from outside adversary.     

云存储中加密数据的相似检索技术应用研究

随着云存储的广泛应用，大量数据存储在云服务器。尽管云服务提供很多便利，但数据的隐私及安全性一直是重点关注的问题，为解决数据安全问题需要将外储数据以加密的形式进行存储。加密存储的方式保护了数据不被恶意访问，然而数据的一些重要的基本应用如检索等不能实现。为了在不泄露隐私的条件下实现对加密数据的检索，很多可检索的加密方案被提出。然而，这些方案多数只能处理确切的关键字匹配检索而不能进行相似的关键字检索，相似检索在现实应用中又极其重要。本文提出一个高效的支持加密数据相似检索的方案，为了实现相似密文的检索我们利用一种被称为位置敏感的哈希算法。为了确保数据的机密性和安全性，我们给出了严格的安全定义，并且在安全定义下证明了方案的安全性。      

Searchable ciphertext‐policy attribute‐based encryption with revocation in cloud storage

To protect the sensitive data outsourced to cloud server, outsourcing data in an encrypted way has become popular nowadays. However, it is not easy to find the corresponding ciphertext efficiently, especially the large ciphertext stored on cloud server. Besides, some data owners do not want those users who attempt to decrypt to know the sensitive access structure of the ciphertext because of some business or private reasons. In addition, the user attributes revocation and key updating are important issues, which affect application of ciphertext‐policy attribute‐based encryption (CP‐ABE) in cloud storage systems. To overcome the previous problems in cloud storage, we present a searchable CP‐ABE with attribute revocation, where access structures are partially hidden so that receivers cannot extract sensitive information from the ciphertext. The security of our scheme can be reduced to the decisional bilinear Diffie–Hellman (DBDH) assumption and decisional linear (DL) assumption. Copyright © 2015 John Wiley & Sons, Ltd.     

A simplified deniable authentication scheme in cloud‐based pay‐TV system with privacy protection

Cloud computing is a milestones for computing model, which enables on‐demand, flexible, and low‐cost usage of computing resources, especially for cloud storage. Nowadays, the services of cloud‐based pay‐TV systems are emerging endlessly. But these pay‐TV systems' privacy is not given enough attention. The users not only care about their information revealed during transmission processes but are also concerned about whether the video contents that they have seen were recorded by the pay‐TV systems or not. In this work, I propose a novel deniable authentication protocol in a cloud‐based pay‐TV system, named DAP‐TV, aiming to achieve mutual authentication, deniability, and privacy protection in cloud‐based pay‐TV systems. The unique feature of our scheme is deniability which means a pay‐TV system to identify a user is a legal user, but the pay‐TV system cannot prove video contents that the user has seen to any third party over an unsecured network. In additon, our scheme is based on chaotic maps, which is a highly efficient cryptosystem and is firstly used to construct a deniable authentication scheme in pay‐TV systems. Finally, we give the formal security proof and efficiency comparison with recently related works.     

A management architecture for client‐defined cloud storage services

Cloud service providers offer virtual resources to users, who then pay for as much as they use. High‐speed networks help to overcome the limitation of geographical distances between clients and cloud servers, which encourage users to adopt cloud storage services for data backup and sharing. However, users use only a few cloud storage services because of the complexity of managing multiple accounts and distributing data to store. In this paper, we propose the client‐defined management architecture (CLIMA) that redefines a storage service by coordinating multiple cloud storage services from clients. We address practical issues of coordinating multiple cloud service providers using a client‐based approach. We implement a prototype as a realization of CLIMA, which achieves both reliability and privacy protection using erasure code and higher performance by optimally scheduling data transmission. We use our prototype to evaluate the benefits of CLIMA on commercial cloud storage service providers. Finally, CLIMA empowers clients to increase the manageability and flexibility of cloud storage services. Copyright © 2015 John Wiley & Sons, Ltd.     

云环境下安全的可验证多关键词搜索加密方案

云计算的高虚拟化与高可扩展性等优势,使个人和企业愿意外包加密数据到云端服务器.然而,加密后的外包数据破坏了数据间的关联性.尽管能够利用可搜索加密(SE)进行加密数据的文件检索,但不可信云服务器可能篡改、删除外包数据或利用已有搜索陷门来获取新插入文件相关信息.此外,现有单关键词搜索由于限制条件较少,导致搜索精度差,造成带...     

对称可搜索加密技术研究进展

云计算作为一种新型计算模式,具有海量资源、动态扩展、按需分配等特点。资源受限的用户可以将计算任务外包给云服务器,在享受高质量数据服务的同时大大降低了本地管理开销。然而,数据外包导致数据所有权与管理权分离,如何保证数据的安全性成为云计算中亟待解决的关键问题。传统的加密技术虽然可以保证数据的机密性,但是在密文中如何执行有意义的检索操作成为一个巨大的挑战。为了保证数据机密性的同时实现密文数据的高效检索,可搜索加密技术应运而生。近年来,可搜索加密方案的设计日趋多样化,旨在提高方案的实用性。该文主要围绕目前可搜索加密方案的研究热点,从4个方面展开阐述,具体包括:单关键词检索、多模式检索、前/后向安全检索和可验证检索。该文主要介绍和分析具有代表性的研究成果,总结最新研究进展及提炼关键技术难点,最后对未来的研究方向进行展望。     

Continuous leakage–resilient IBE in cloud computing

Cloud computing is an efficient tool in which cloud storage shares plenty of encrypted data with other data owners. In existing cloud computing scenarios, it may suffer from some new attacks like side channel attacks. Therefore, we are eager to introduce a new cryptographic scheme that can resist these new attacks. In this work, we exploit a new technique to build leakage‐resilient identity‐based encryption and use the stronger existing partial leakage model, such as continual leakage model. More specifically, our proposal is based on the underlying decisional bilinear Diffie‐Hellman assumption, but proven adaptively secure against adaptive chosen ciphertext attack in the standard model. Above all, a continuous leakage–resilient IBE scheme with adaptive security meets cloud computing with stronger security.     

ACDAS: Authenticated controlled data access and sharing scheme for cloud storage

Cloud storage services require cost‐effective, scalable, and self‐managed secure data management functionality. Public cloud storage always enforces users to adopt the restricted generic security consideration provided by the cloud service provider. On the contrary, private cloud storage gives users the opportunity to configure a self‐managed and controlled authenticated data security model to control the accessing and sharing of data in a private cloud. However, this introduces several new challenges to data security. One critical issue is how to enable a secure, authenticated data storage model for data access with controlled data accessibility. In this paper, we propose an authenticated controlled data access and sharing scheme called ACDAS to address this issue. In our proposed scheme, we employ a biometric‐based authentication model for secure access to data storage and sharing. To provide flexible data sharing under the control of a data owner, we propose a variant of a proxy reencryption scheme where the cloud server uses a proxy reencryption key and the data owner generates a credential token during decryption to control the accessibility of the users. The security analysis shows that our proposed scheme is resistant to various attacks, including a stolen verifier attack, a replay attack, a password guessing attack, and a stolen mobile device attack. Further, our proposed scheme satisfies the considered security requirements of a data storage and sharing system. The experimental results demonstrate that ACDAS can achieve the security goals together with the practical efficiency of storage, computation, and communication compared with other related schemes.     

云计算环境下支持排名的关键词加密检索方法

随着云计算的出现,越来越多的数据开始集中存储到云端,为了保护数据隐私,敏感数据需要在外包到云端之前进行加密,使在加密数据上进行有效检索成为一个挑战性任务。尽管传统的加密检索模型支持在加密数据上进行关键词检索,但是它们没有描述检索结果的相关度,导致返回所有包含关键词的检索结果占用了大量的网络带宽,并且用户从返回的检索结果中再次选择最相关的结果也会产生大量的时间开销,为此,提出了云计算环境下支持排名的关键词加密检索方法。该方法根据相关度返回排序后的检索结果,其中的保序对称加密模型不仅防止了相关度信息的泄漏,而且提供了高效的检索性能。实验表明了该方法的有效性。     

A prediction‐based and power‐aware virtual machine allocation algorithm in three‐tier cloud data centers

With the increasing popularity of cloud computing services, the more number of cloud data centers are constructed over the globe. This makes the power consumption of cloud data center elements as a big challenge. Hereby, several software and hardware approaches have been proposed to handle this issue. However, this problem has not been optimally solved yet. In this paper, we propose an online cloud resource management with live migration of virtual machines (VMs) to reduce power consumption. To do so, a prediction‐based and power‐aware virtual machine allocation algorithm is proposed. Also, we present a three‐tier framework for energy‐efficient resource management in cloud data centers. Experimental results indicate that the proposed solution reduces the power consumption; at the same time, service‐level agreement violation (SLAV) is also improved.     

Enhanced security‐aware technique and ontology data access control in cloud computing

Nowadays, security and data access control are some of the major concerns in the cloud storage unit, especially in the medical field. Therefore, a security‐aware mechanism and ontology‐based data access control (SA‐ODAC) has been developed to improve security and access control in cloud computing. The model proposed in this research work is based on two operational methods, namely, secure awareness technique (SAT) and ontology‐based data access control (ODAC), to improve security and data access control in cloud computing. The SAT technique is developed to provide security for medical data in cloud computing, based on encryption, splitting and adding files, and decryption. The ODAC ontology is launched to control unauthorized persons accessing data from storage and create owner and administrator rules to allow access to data and is proposed to improve security and restrict access to data. To manage the key of the SAT technique, the secret sharing scheme is introduced in the proposed framework. The implementation of the algorithm is performed by MATLAB, and its performance is verified in terms of delay, encryption time, encryption time, and ontology processing time and is compared with role‐based access control (RBAC), context‐aware RBAC and context‐aware task RBAC, and security analysis of advanced encryption standard and data encryption standard. Ultimately, the proposed data access control and security scheme in SA‐ODAC have achieved better performance and outperform the conventional technique.     

支持策略隐藏且密文长度恒定的可搜索加密方案

属性加密体制是实现云存储中数据灵活访问控制的关键技术之一,但已有的属性加密方案存在密文存储开销过大和用户隐私泄露等问题,并且不能同时支持云端数据的公开审计.为了解决这些问题,该文提出一个新的可搜索属性加密方案,其安全性可归约到q-BDHE问题和CDH问题的困难性.该方案在支持关键词搜索的基础上,实现了密文长度恒定;引入...     

Real‐time performance evaluation of asynchronous time division traffic‐aware and delay‐tolerant scheme in ad hoc sensor networks

Wireless infrastructureless networks demand high resource availability with respect to the progressively decreasing energy consumption. A variety of new applications with different service requirements demand fairness to the service provision and classification, and reliability in an end‐to‐end manner. High‐priority packets are delivered within a hard time delay bound whereas improper power management in wireless networks can substantially degrade the throughput and increase the overall energy consumed. In this work a new scheme is being proposed and evaluated in real time using a state‐based layered oriented architecture for energy conservation (EC). The proposed scheme uses the node's self‐tuning scheme, where each node is assigned with a dissimilar sleep and wake time, based on traffic that is destined for each node. This approach is based on stream's characteristics with respect to different caching behavioral and storage‐capacity characteristics, and considers a model concerning the layered connectivity characteristics for enabling the EC mechanism. EC characteristics are modeled and through the designed tiered architecture the estimated metrics of the scheme can be bounded and tuned into certain regulated values. The real‐time evaluation results were extracted by using dynamically moving and statically located sensor nodes. A performance comparison is done with respect to different data traffic priority classifications following a real‐time asymmetrical transmission channel. Results have shown the scheme's efficiency in conserving energy while the topology configuration changes with time. Copyright © 2009 John Wiley & Sons, Ltd.