Secure Data Sharing With Data Integrity in Public Clouds Using Mediated Certificate-Less Encryption

Abstract:
The popularity and widespread use of Cloud have brought great convenience for data sharing and collection. Data sharing with a large number of participants must take into account several issues, including efficiency, data integrity and privacy of data owner. The shared data must be strongly secured from unauthorized accesses. The common approach to ensure confidentiality is to encrypt the data before uploading it to the cloud. Many encryption mechanisms support fine-grained encryption based access control. However, they face the key escrow problem and the revocation problem. The existing mediated Certificateless-Public Key Encryption scheme reduces the key management, but the scheme was found to be insecure against partial decryption attack. Although their scheme relies on pairing operations, that incurs considerably high computational costs. The proposed mediated certificateless Public Key Encryption (mCL-PKE) scheme provides its formal security without pairing operations. The mCL-PKE solves the key escrow problem and revocation problem. The extension of mCL-PKE scheme encrypts data efficiently for multiple users. The data integrity verifier verifies the encrypted data for efficient data sharing among users.
Index Terms:Cloud Computing, Certificateless cryptography, confidentiality, access control.
I.Introduction
Due to the benefits of public cloud storage, organizations have been adopting public cloud services such as Microsoft Skydrive and Dropbox to manage their data. However, for the widespread adoption of cloud storage services, the public cloud storage model should solve the critical issue of data confidentiality. That is, shared sensitive data must be strongly secured from unauthorized accesses. In order to assure confidentiality of sensitive data stored in public clouds, a commonly adopted approach is to encrypt the data before uploading it to the cloud. Since the cloud does not know the keys used to encrypt the data, the confidentiality of the data from the cloud is assured. However, as many organizations are required to enforce fine-grained access control to the data, the encryption mechanism should also be able to support fine-grained encryption based access control. The key management problem was solved by Identity-Based Public Key Cryptosystem (IB-PKC), but it suffers from the key escrow problem as the key generation server learns the private keys of all users. Recently, Attribute Based Encryption (ABE) has been proposed that allows one to encrypt each data item based on the access control policy applicable to the data. However, in addition to the key escrow problem, ABE has the revocation problem as the private keys given to existing users should be updated whenever a user is revoked. To solve these issues and for secure data sharing, Certificateless Proxy Re-Encryption (CL-PRE) is used. It relies on pairing operations. The recent advances in implementation techniques, the computational costs required for pairing are still considerably high compared to the costs of standard operations. The existing security model is often not sufficient to guarantee security in general protocol setting. Thus a secure mediated scheme without pairings is needed.
The existing mediated Certificateless-Public Key Encryption scheme reduces the key management. In this scheme, user’s private key consists of a secret value chosen by the user and a partial private key generated by the Key Generation Center (KGC). If any user compromised the cloud, using its private key attempts to access the data in the cloud. The scheme was found to be insecure against partial decryption attack, since their security model did not consider the capabilities of the adversary in requesting partial decryptions.
New user obtains the token from Identity Provider by submitting their details. Whenever a new user accesses CSP (Cloud Service Provider), it asks for token to authenticate the user. Hence user should obtain the token from the Identity Provider before starting access of the data in CSP. Identity provider forwards the details of the user to the CSP. CSP stores the token and user details in database. Users provide the token obtained from Identity provider while login for the access in CSP. CSP validates the token using the details stored in database. If the token is valid, users are allowed for the access in cloud. Otherwise access is denied for the user. Each user first generates its own private and public key pair, called SK and PK, using the SetPrivateKey and SetPublicKey operations respectively.