1 / 18

Privacy Preserving Delegated Access Control in Public Clounds

Privacy Preserving Delegated Access Control in Public Clounds. Mohamed Nabeel and Elisa Bertino , Fellow, IEEE Presented by Fusong Chen. Abstract. Current approaches to enforce fine-grained access control on confidential data

kyleigh-dallaher
Télécharger la présentation

Privacy Preserving Delegated Access Control in Public Clounds

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Preserving Delegated AccessControl in Public Clounds Mohamed Nabeel and Elisa Bertino, Fellow, IEEE Presented by Fusong Chen

  2. Abstract Current approaches to enforce fine-grained access control on confidential data hosted in the cloud are based on the fine-grained encryption of the data; Problems: Data owners incur high communication and computation costs; Proposed approach: based on two layers of encryption, the data owner performs a coarse-grained encryption, the cloud performs a fine-grained encryption on top of the owner encrypted data; Challenging issue: decompose access control policies(ACPs), and they utilize an efficient group key management scheme that supports expressive ACPs. Their proposed system assures the confidentiality of the data and preserves the Privacy of users from cloud while delegating most of the access control Enforcement to the cloud.

  3. Contents of the paper 1 Introduction 2 Building Blocks 3 Overview of the two layer encryption 4 Policy Decomposition 5 Two Layer Encryption Approach 6 Experimental Results 7 Analysis 8 Related Work 9 Conclusion

  4. 1 Introduction • Security and privacy represent major concerns in the cloud technologies • for data storage, encryption is the approach to mitigate these concerns; • Conventional encryption approaches are not sufficient to support the • enforcement of fine-grained organizational ACPs and have limitations; • Recently proposed approaches based on broadcast key management • schemes address some of the conventional limitations, but still its encryption • activities have to be performed at the owner, thus incurs high communication • and computation cost; • This paper proposed the two layer encryption (TLE) approach, data owner • performs a coarse grained encryption over the data in order to assure the • confidentiality of the data from the cloud, then the cloud performs fine grained • encryption over the encrypted data provided by data owner based on ACPs; • Challenging issue in the TLE approach is how to decompose the ACPs so the • fine-grained attribute-based access control (ABAC) enforcement can be delegated • to the cloud while the privacy and confidentiality are assured;

  5. Traditional approaches group data items based on ACPs and Encrypt each group with a different symmetric key

  6. 2 Building Blocks 2.1 Broadcast Encryption (BE): to solve the problem of how to efficiently encrypt a message and broadcast it to a subset of the users in a system; the subset of users can change dynamically; 2.2 Oblivious Commitment Based Envelope Protocols (OCBE): provide a mechanism to obliviously deliver a message to the users who satisfy certain conditions; three entities: a server, a user, a trusted third party called identity provider; 2.3 Privacy Preserving Attribute Based Group Key Management (BGKM): This scheme uses BE scheme and the OCBE protocols; 2.4 Single Layer Encryption Approach (SLE): The SLE scheme consists of four entities: Owner, Usr, IdP, cloud;

  7. The SLE approach follows the conventional data outsourcing scenario Where the Owner enforces all ACPs through selective encryption & upload This system has 5 phases: - Identity token issuance - Identity token registration - Data encryption and uploading - Data downloading and decryption - Encryption evolution management

  8. 3 Overview of the Two Layers Encryption (TLE) TLE reduces the load on the Owner and delegates as much access control enforcement duties as possible to the Cloud four entities: User, Idp, Owner, Cloud Six phase: - Identity token issuance - Policy decomposition - Identity token registration - Data encryption and uploading - Data downloading and decryption - Encryption evolution management

  9. 4 Policy Decomposition • Important issue in the TLE approach is to distribute the encryptions between • the Owner and the Cloud; • 1st approach is for the Owner to encrypt all data items using a single symmetric • key and let the cloud perform the complete access control related encryption: • least overhead for the Owner, highest information exposure risk; • 2nd approach is for the Owner and Cloud to perform the complete access control • related encryption twice: • highest overhead for the Owner, least information exposure risk; • Alternative solution: based on decomposing ACPs so that the information • exposure risk and key management overhead are balanced

  10. The Policy Decomposition Algorithm3 Shows how the ACPs are decomposed Into two sub ACPs based on the attribute conditons

  11. 5 Two Layer Encryption Approach detailed description of the six phases of the TLE approach 5.1 Identity Token Issuance 5.2 Policy Decomposition 5.3 Identity Token Registration 5.4 Data Encryption and Upload 5.5 Data Downloading and Decryption 5.6 Encryption Evolution Management

  12. 6 Experimental Results The size of the attribute condition cover for systems having 500 and 1,500 attribute conditions as the number of attribute conditions per policy is increased

  13. The break down of the running time for the complete policy decomposition process

  14. The average time spent to execute the AB-GKM KeyGen with SLE and TLE approaches for different group sizes

  15. 7 Analysis • 7.1 SLE versus TLE • SLE approach: • The owner enforces all ACPs by fine-grained encryption; • the cloud acts as a storage repository; • High overhead for owner; • TLE approach: • Reduce the overhead by the owner; • The owner handles the minimal set of attribute conditions; • The cloud performs the necessary re-encryptions; • The cloud learns some information about the ACPs; • 7.2 Security and Privacy • SLE approach correctly enforces the ACPs through one encryption; • TLE approach correctly enforces the ACPs through two encryptions, • Each ACP is decomposed into two ACPs, the owner & cloud both enforce • one part through attribute based encryption;

  16. 8 Related Work • Fine-grained access control • Attribute based encryption • Proxy re-encryption

  17. 9 Conclusion • Current approaches to enforce ACPs on outsourced data incur high • communication and computation cost; • This paper proposed a two layer encryption based approach by delegating • some access control enforcement to cloud while also minimizing the • information exposure risks; • A key problem is how to decompose ACPs; • This TLE approach is based on a privacy preserving attribute based key • management scheme, which protects the privacy of users while enforcing • attribute based ACPs;

More Related