Achieving Secure, sclable and finegrained Cloud computing report

ACHIEVING SECURE, SCALABLE AND FINE GRAINED DATA
ACCESS CONTROL IN CLOUD COMPUTING
Kiran V. Girase

CLOUD COMPUTING
Department of Comp & IT 1 D. N. P.COE,SHAHADA
Chapter 1
INTRODUCTION
cloud computing is also facing many challenges that, if not well resolved, may impede
its fast growth. Data security, as it exists in many other applications, is among these challenges
that would raise great concerns from users when they store sensitive information on cloud
servers. These concerns originate from the fact that cloud servers are usually operated by
commercial providers which are very likely to be outside of the trusted domain of the users. Data
confidential against cloud servers is hence frequently desired when users outsource data for
storage in the cloud. In some practical application systems, data confidentiality is not only a
security/privacy issue, but also of juristic concerns. For example, in healthcare application
scenarios use and disclosure of protected health information (PHI) should meet the requirements
of Health Insurance Portability and Accountability Act (HIPAA), and keeping user data
confidential against the storage servers is not just an option, but a requirement. Furthermore, we
observe that there are also cases in which cloud users themselves are content providers. They
publish data on cloud servers for sharing and need fine-grained data access control in terms of
which user (data consumer) has the access privilege to which types of data. In the healthcare
case, for example, a medical center would be the data owner who stores millions of healthcare
records in the cloud. It would allow data consumers such as doctors, patients, researchers and etc,
to access various types of healthcare records under policies admitted by HIPAA. To enforce
these access policies, the data owners on one hand would like to take advantage of the abundant
resources that the cloud provides for efficiency and economy; on the other hand, they may want
to keep the data contents confidential against cloud servers.
We address this open issue and propose a secure and scalable fine-grained data access
control scheme for cloud computing. Our proposed scheme is partially based on our observation
that, in practical application scenarios each data file can be associated with a set of attributes
which are meaningful in the context of interest. As the logical expression can represent any
desired data file set, fine-grainedness of data access control is achieved. To enforce these access
structures, we define a public key component for each attribute. Data files are encrypted using
public key components corresponding to their attributes.

CLOUD COMPUTING
User secret keys are defined to reflect their access structures so that a user is able to decrypt a
ciphertext if and only if the data file attributes satisfy his access structure. Such a design also
brings about the efficiency benefit, as compared to previous works, in that, 1) the complexity of
encryption is just related the number of attributes associated to the data file, and is independent to
the number of users in the system; and 2) data file creation/deletion and new user grant
operations just affect current file/user without involving system-wide data file update or re-
keying. One extremely challenging issue with this design is the implementation of user
revocation, which would inevitably require re-encryption of data files accessible to the leaving
user, and may need update of secret keys for all the remaining users. If all these tasks are
performed by the data owner himself/herself, it would introduce a heavy computation overhead
on him/her and may also require the data owner to be always online. To resolve this challenging
issue, our proposed scheme enables the data owner to delegate tasks of data file re-encryption
and user secret key update to cloud servers without disclosing data contents or user access
privilege information. We achieve our design goals by exploiting a novel cryptographic
primitive, namely key policy attribute-based encryption
1.1 MODELS AND ASSUMPTIONS
1.1.1 System Models
Similar to , we assume that the system is composed of the following parties: the Data Owner,
many Data Consumers, many Cloud Servers, and a Third Party Auditor if necessary. To access
data files shared by the data owner, Data Consumers, or users for brevity, download data files of
their interest from Cloud Servers and then decrypt. Neither the data owner nor users will be
always online. They come online just on the necessity basis. For simplicity, we assume that the
only access privilege for users is data file reading. Extending our proposed scheme to support
data file writing is trivial by asking the data writer to sign the new data file on each update as
does. From now on, we will also call data files by files for brevity. Cloud Servers are always
online and operated by the Cloud Service Provider (CSP). They are assumed to have abundant
storage capacity and computation power. The Third Party Auditor is also an online party which is
used for auditing every file access event. In addition, we also assume that the data owner can not
only store data files but also run his own code on Cloud Servers to manage his data files. This
assumption coincides with the unified ontology of cloud computing

CLOUD COMPUTING
1.1.2 Security Models
In this work, we just consider Honest but Curious Cloud Servers as does. That is to say, Cloud
Servers will follow our proposed protocol in general, but try to find out as much secret
information as possible based on their inputs. More specifically, we assume Cloud Servers are
more interested in file contents and user access privilege information than other secret
information. Cloud Servers might collude with a small number of malicious users for the purpose
of harvesting file contents when it is highly beneficial. Communication channel between the data
owner/users and Cloud Servers are assumed to be secured under existing security protocols such
as SSL. Users would try to access files either within or outside the scope of their access
privileges. To achieve this goal, unauthorized users may work independently or cooperatively. In
addition, each party is preloaded with a public/private key pair and the public key can be easily
obtained by other parties when necessary.
1.1.3 Design Goals
Our main design goal is to help the data owner achieve fine-grained access control on files stored
by Cloud Servers. Specifically, we want to enable the data owner to enforce a unique access
structure on each user, which precisely designates the set of files that the user is allowed to
access. We also want to prevent Cloud Servers from being able to learn both the data file
contents and user access privilege information. In addition, the proposed scheme should be able
to achieve security goals like user accountability and support basic operations such as user
grant/revocation as a general one-to-many communication system would require. All these
design goals should be achieved efficiently in the sense that the system is scalable.

CLOUD COMPUTING
Chapter 2
LITURATURE SURVEY
The literature survey contains study of different access control mechanism for cloud computing.
Mainly we have focused on Attribute based access control, role based access control, Identity
based encryption, Attribute based encryption and Role based encryption. Following table gives a
list of papers that we have surveyed. Here we have listed out some characteristics of access
control and encryption schema after surveying above papers.
The characteristics of an Ideal Access control and Encryption Schema:
Data confidentiality:
Data is get encrypted before uploading to the cloud, so unauthorized user of the cloud cannot
know the information about data stored on cloud. Only authorized users, those who are having
decryption key can access the data.
Fine-grained access control:
A different user from the same group gets the different access right. So users belongs to the same
group can access the different data according to his access rights.
Scalability:
When the number of users of the system increases it may effect on the system performance. So
the performance of the system is not get affected by increased numbers of authorized users.
Flexibility:
Flexibility of the cloud allows companies to adjust to any problems that may occur during day-
to-day operations. It also allows using extra resources at peak times, to satisfy consumer
demands.
Security:
While updating login credentials for example password or for requesting extra attributes. We
must ensure that only valid user is performing those operations. As well as system must provide
security from different attacks like session hijacking, session fixation etc.

CLOUD COMPUTING
A. Identity Based Encryption
Identity Based Encryption was proposed for cipher text security and it is a type of public key
encryption. In this schema, user’s public key is nothing but unique information about user’s
identity such as email id and user’s private key is generated by using the known identity of the
user. As a result user can encrypt message without prior distribution of keys between
participants. This schema is extremely useful where pre-distribution of keys is infeasible or
inconvenient due to technical restraints. The steps involved in this Identity Based Encryption are
given below:
Setup algorithm: Private Key Generator (PKG) executes this setup algorithm once to create IBE
environment. This algorithm takes security parameters as a input and generates:
-A set of system parameters P
-A master key Km
Private Key Generation algorithm: When user sends request for his private key then PKG
executes this private key generation algorithm. It requires system parameters P, master key Km
and user ID and gives private key d for user identity ID.
Encryption algorithm: This Algorithm takes system parameters P, message m and users ID and
it generates encrypted message for a particular user having identity is ID .
Decryption algorithm: This algorithm accepts private key d, system parameters p and encrypted
message c and retrieves original message m.
B. Attribute Based Encryption
The main goal of attribute based encryption[2] proposed by Sahai and Waters is to provide
security and access control. This schema having trusted authority, data owner and data user. Role
of trusted authority is to generate keys for both data user and data owner to encrypt and decrypt
the message. In Attribute Based Encryption cipher text is not only encrypted for a single user.
The drawback of attribute based encryption scheme is that data owner needs to use each user's
public key to encrypt data.
Sahai and Waters proposed the concept of Key policy ABE, which is enhancement of ABE and
CPABE[2]. KP-ABE is the dual to CP-ABE in the sense that an access policy is encoded into the
users secret key and a ciphertext is computed with respect to a set of attributes,In ciphertext-

CLOUD COMPUTING
policy attribute-based encryption (CP-ABE) a user’s private-key is related to the set of attributes
and a ciphertext stipulates an access policy over a defined attributes within the system. A user
will be able to decrypt a ciphertext, if and only if his attributes satisfy the policy of the respective
ciphertext.
C. Role Based Access Control
In RBAC access of resources is depends on the role which is assigned to the user. In this
framework access is nothing but ability of an individual user to perform different operations such
as create view and modify a file. Roles are depends on authority and responsibility within the
organization. Various roles are created for an organization and permissions to perform specific
operation are assigned to specific role. RBAC has been widely used, but has weaknesses: it is
labor-intensive and time-consuming to build a model instance, and a pure RBAC system lacks
flexibility to efficiently adapt to changing users, objects, and securitypolicies. Particularly, it is
impractical to manually make (and maintain) user to role assignments and role to permission
assignments in industrial context characterized by a large number of users and/or security
objects.
Figure.2.1 Role Based Access Control

CLOUD COMPUTING
D. Attribute Based Access Control
In attribute based access control[3] each user is associated with finite set of attributes. Data
owner assigns attributes to the particular user by considering type of user. Whenever user logins
and request for data, the user can access only assigned attributes .Set of attributes defines the
access control.
Figure.2.2 Attribute Based Access Control
E. Hybrid Access Control (ABAC+RBAC)
Combining role-based access control and attribute based access control is rising as a promising
paradigm. In this schema we are combining role based access control with attribute based access
control to get advantages of both. In this proposed schema we are considering three approaches
to use role based access control and attribute based access control.
Dynamic roles
Attributed based
Role based

CLOUD COMPUTING
Figure.2.3 Hybrid access control
Dynamic roles:
In this first approach we are considering both role based access with attribute driven. As we are
considering fine grained access control, using this we can assign particular role with some extra
attributes to the user. And by providing decryption key user can access data which is assigned to
that particular role as well as extra attributes. If any user request extra attributes than the role
assigned then we will create dynamic role for that user and depending on the trust value of the
user we are assigning extra attributes to that user.
Attribute Based:
Second approach is Attribute based, in this attributes are assigned to user which not from a single
role. So in this case here we are using attribute based access control. So users can access different
attributes related to the different roles.
Role Based:
The third option simply follows role based access control, in which roles are assigned to the users
and depends on which role is assigned to that user attributes are accessible to that user.
These attribute-based policies bring to RBAC the advantages of ABAC: they are easy to
construct and easy to familiarize to changes. Using this mechanism in large scale applications we
can problem of permission assignment. This model is motivated by the characteristics and

CLOUD COMPUTING
requirements of industrial control systems, and reflects in part certain approaches and practices
common in the industry.
F. Hierarchical Attribute and Role based access control
In HASBE [4] schema, hierarchical user structure is used with ASBE.HASBE schema is based
on attribute based access control. In our proposed schema, we are using hybrid access control to
get the advantages of both attribute based access control as well as role based access control.
Figure.5 shows hierarchical structure of system users using role and trust management. Our
system model consists of a trusted authority, multiple domain authorities, and numerous users
corresponding to data owners and data consumers. The trusted authority is responsible for
generating and distributing system parameters and root master keys as well as authorizing the
top-level domain authorities.
Figure.2.4 Hierarchical system users, Role and Trust management.
Trust Management:
Trust management is mechanism used while assigning extra attributes to the user. When user
requests for extra attributes than assigned attributes in that case higher authority will check the
trust value of the that user. If trust value is above threshold value then attributes are get assigned
to the user otherwise attributes are not assigned to the user. Trust management helps to the data
owner to assign new attributes by considering trust value.

CLOUD COMPUTING
Chapter 3
Software and Hardware Requirement Specification
3.1 HARDWARE DESCRIPTION
The selection of hardware is very important in the existence and proper working of any
software. When selecting hardware, the size and requirements are also important.
Minimum Requirements:
Processor : Pentium II class, 450MHz
RAM : 128MB
Hard Disk Drive : 3GB
Video : 800X600, 256 colors
CD-ROM : Required
The proposed System is developed on:
Processor : INTEL Pentium 4
RAM : 512MB
Hard Disk Drive : 40GB
Key Board : Standard 101/102 or Digi Sync Family
Monitor : Display Panel (1024 X 764)
Display Adapter : Trident Super VGA
Network Adapter : SMC Ethernet Card Elite 16 Ultra
Mouse : Logitech Serial Mouse
3.1 SOFTWARE DESCRIPTION
Operating System : Windows XP
Front- End : C#. NET with ASP. NET
Back- End : MS SQL SERVER 2005 EXPRESS

CLOUD COMPUTING
Chapter 4
ARCHITECTURE
We consider a cloud data system consisting of data owners, data users, Cloud Servers, and a third
Party Auditor. A data owner stores his sensitive data on Cloud Servers. Users are issued
attributes. To access the remote stored data files shared by the data owner, users need to
download the data files from the Cloud Servers. For simplicity, we assume that the only access
privilege for users is data file reading. Cloud Servers are always online and operated by Cloud
Service Provider (CSP). The Third Party Auditor is also an always online party which audits
every file access event. In addition, we also assume that the data owner can store data files
besides running his own code on Cloud Servers to manage his data files.
Figure 4.1 Architecture of cloud computing

CLOUD COMPUTING
Chapter 5
MODULE DESCRIPTION
5.1 Key Policy Attribute-Based Encryption (KP-ABE)
KP-ABE is a public key cryptography primitive for one-to-many communications. In KP-ABE,
data are associated with attributes for each of which a public key component is defined. The
encryptor associates the set of attributes to the message by encrypting it with the corresponding
public key components. Each user is assigned an access structure which is usually defined as an
access tree over data attributes, i.e., interior nodes of the access tree are threshold gates and leaf
nodes are associated with attributes. User secret key is defined to reflect the access structure so
that the user is able to decrypt a ciphertext if and only if the data attributes satisfy his access
structure. A KP-ABE scheme is composed of four algorithms which can be defined as follows:
5.1.1 Setup
This algorithm takes as input a security parameter κ and the attribute universe U = {1, 2, . . .,N}
of cardinality N. It defines a bilinear group G1 of prime order p with a generator g, a bilinear map
e : G1 × G1 → G2 which has the properties of bilinearity, computability, and non-degeneracy.
It returns the public key PK as well as a system master key MK as follows
PK = (Y, T1, T2, . . . , TN)
MK = (y, t1, t2, . . . , tN)
where Ti ∈ G1 and ti ∈ Zp are for attribute i, 1 ≤ i ≤ N, and Y ∈ G2 is another public key
component. We have Ti = gti and Y = e(g, g)y, y ∈ Zp. While PK is publicly known to all the
parties in the system, MK is kept as a secret by the authority party.
5.1.2 Encryption
This algorithm takes a message M, the public key PK, and a set of attributes I as input. It outputs
the ciphertext E with the following format:
E = (I, ˜ E, {Ei}i ∈ I )
where ˜E = MYs, Ei = Ts
i , and s is randomly chosen from Zp.

CLOUD COMPUTING
5.1.3 Key Generation
This algorithm takes as input an access tree T, the master key MK, and the public key PK. It
outputs a user secret key SK as follows. First, it defines a random polynomial pi(x) for each node
i of T in the top-down manner starting from the root node r.
For each non-root node j, pj(0) = pparent(j)(idx(j)) where parent(j) represents j’s parent
and idx(j) is j’s unique index given by its parent. For the root node r, pr(0) = y. Then it outputs
SK as follows.
SK = {ski}i ∈ L
where L denotes the set of attributes attached to the leaf nodes of T and ski = g pi(0) ti .
5.1.4 Decryption
This algorithm takes as input the ciphertext E encrypted under the attribute set I, the user’s secret
key SK for access tree T, and the public key PK. It first computes e(Ei, ski) = e(g, g)pi(0)s for
leaf nodes. Then, it aggregates these pairing results in the bottom-up manner using the
polynomial interpolation technique. Finally, it may recover the blind factor Y s = e(g, g)ys and
output the message M if and only if I satisfies T.
5.2 Proxy Re-Encryption (PRE)
Proxy Re-Encryption (PRE) is a cryptographic primitive in which a semi-trusted proxy is able to
convert a ciphertext encrypted under Alice’s public key into another ciphertext that can be
opened by Bob’s private key without seeing the underlying plaintext. More formally, a PRE
scheme allows the proxy, given the proxy re-encryption key rka↔b, to translate ciphertexts
under public key pka into ciphertexts under public key pkb and vise versa.
5.1 An examplary case in the healthcare scenario

CLOUD COMPUTING
5.2.1 OUR PROPOSED SCHEME
5.2.1.1 Main Idea
In order to achieve secure, scalable and fine-grained access control on outsourced data in the
cloud, we utilize and uniquely combine the following three advanced cryptograhphic techniques:
KP-ABE, PRE and lazy re-encryption. More specifically, we associate each data file with a set of
attributes, and assign each user an expressive access structure which is defined over these
attributes. To enforce this kind of access control, we utilize KP-ABE to escort data encryption
keys of data files. Such a construction enables us to immediately enjoy fine-grainedness of access
control. However, this construction, if deployed alone, would introduce heavy computation
overhead and cumbersome online burden towards the data owner, as he is in charge of all the
operations of data/user management. Specifically, such an issue is mainly caused by the
operation of user revocation, which inevitabily requires the data owner to re-encrypt all the data
files accessible to the leaving user, or even needs the data owner to stay online to update secret
keys for users. To resolve this challenging issue and make the construction suitable for cloud
computing, we uniquely combine PRE with KP-ABE and enable the data owner to delegate most
of the computation intensive operations to Cloud Servers without disclosing the underlying file
contents.
Such a construction allows the data owner to control access of his data files with a minimal
overhead in terms of computation effort and online time, and thus fits well into the cloud
environment. Data confidentiality is also achieved since Cloud Servers are not able to learn the
plaintext of any data file in our construction. For further reducing the computation overhead on
Cloud Servers and thus saving the data owner’s investment, we take advantage of the lazy re-
encryption technique and allow Cloud Servers to “aggregate” computation tasks of multiple
system operations. As we will discuss in section V-B, the computation complexity on Cloud
Servers is either proportional to the number of system attributes, or linear to the size of the user
access structure/tree, which is independent to the number of users in the system. Scalability is
thus achieved. In addition, our construction also protects user access privilege information
against Cloud Servers. Accoutability of user secret key can also be achieved by using an
enhanced scheme of KP-ABE.

CLOUD COMPUTING
5.2.1.2 Definition and Notation
For each data file the owner assigns a set of meaningful attributes which are necessary for access
control. Different data files can have a subset of attributes in common. Each attribute is
associated with a version number for the purpose of attribute update as we will discuss later.
Cloud Servers keep an attribute history list AHL which records the version evolution history of
each attribute and PRE keys used. In addition to these meaningful attributes, we also define one
dummy attribute, denoted by symbol AttD for the purpose of key management. AttD is required
to be included in every data file’s attribute set and will never be updated. The access structure of
each user is implemented by an access tree. Interior nodes of the access tree are threshold gates.
Leaf nodes of the access tree are associated with data file attributes. For the purpose of key
management, we require the root node to be an AND gate (i.e., n-of-n threshold gate) with one
child being the leaf node which is associated with the dummy attribute, and the other child node
being any threshold gate. The dummy attribute will not be attached to any other node in the
access tree. Fig.3.1 illustrates our definitions by an example. In addition, Cloud Servers also keep
a user list UL which records IDs of all the valid users in the system. Table 3.1 gives the
description of notation to be used in our scheme.
Table 5.1 Notation used in our scheme description
Notation Description
PK,MK system public key and master key
Ti public key component for attribute i
ti master key component for attribute i
SK user secret key
ski user secret key component for attribute i
Ei ciphertext component for attribute i
I attribute set assigned to a data file
DEK symmetric data encryption key of a data file
P user access structure
LP set of attributes attached to leaf nodes of P
AttD the dummy attribute
UL the system user list
AHLi attribute history list for attribute i
rki↔i_ proxy re-encryption key for attribute i from
its current version to the updated version i’
δO,X the data owner’s signature on message X

CLOUD COMPUTING
Chapter 6
ALGORITHM
Key Policy Attribute-Based Encryption (KP-ABE):
public static void AssignParameter()
{
const int PROVIDER_RSA_FULL = 1;
const string CONTAINER_NAME = "SpiderContainer";
CspParameters cspParams;
cspParams = new CspParameters(PROVIDER_RSA_FULL);
cspParams.KeyContainerName = CONTAINER_NAME;
cspParams.Flags = CspProviderFlags.UseMachineKeyStore;
cspParams.ProviderName = "Microsoft Strong Cryptographic Provider";
rsa = new RSACryptoServiceProvider(cspParams);
}
public static string EncryptData(string data2Encrypt)
{
AssignParameter();
StreamReader reader = new
StreamReader(@"E:VisualStudio2008cloudcomputingpublickey.xml");
string publicOnlyKeyXML = reader.ReadToEnd();
rsa.FromXmlString(publicOnlyKeyXML);
reader.Close();
//read plaintext, encrypt it to ciphertext
byte[] plainbytes =
System.Text.Encoding.UTF8.GetBytes(data2Encrypt);
byte[] cipherbytes = rsa.Encrypt(plainbytes,false);
return Convert.ToBase64String(cipherbytes);
}
public static void NewSecretKey()
{
AssignParameter();
//provide public and private RSA params
StreamWriter writer = new
StreamWriter(@"E:VisualStudio2008cloudcomputingprivatekey.xml");
string publicPrivateKeyXML = rsa.ToXmlString(true);
writer.Write(publicPrivateKeyXML);
writer.Close(); //provide public only RSA params
writer = new
StreamWriter(@"E:VisualStudio2008cloudcomputingpublickey.xml");
string publicOnlyKeyXML = rsa.ToXmlString(false);
writer.Write(publicOnlyKeyXML);
writer.Close();
}
public static string DecryptData(string data2Decrypt)
{
AssignParameter();
byte[] getpassword = Convert.FromBase64String(data2Decrypt);
StreamReader(@"E:VisualStudio2008cloudcomputingprivatekey.xml");
string publicPrivateKeyXML = reader.ReadToEnd();
rsa.FromXmlString(publicPrivateKeyXML);
reader.Close();
//read ciphertext, decrypt it to plaintext

CLOUD COMPUTING
byte[] plain = rsa.Decrypt(getpassword,false);
return System.Text.Encoding.UTF8.GetString(plain);
}
Proxy Re-Encryption (PRE)
AssignParameter();
StreamReader(@"E:VisualStudio2008securecloudcomputingpublickey.xml");
string publicOnlyKeyXML = reader.ReadToEnd();
rsa.FromXmlString(publicOnlyKeyXML);
reader.Close();
//read plaintext, encrypt it to ciphertext
byte[] plainbytes =
System.Text.Encoding.UTF8.GetBytes((string)Session["message"]);
byte[] cipherbytes = rsa.Encrypt(plainbytes, false);
for (int x = 0; x < cipherbytes.Length; x++)
{
sb.Append(cipherbytes[x].ToString() + "<br>");
}
Label1.Text = Convert.ToBase64String(cipherbytes);
sb.Append(Label1.Text);
Literal1.Text = Convert.ToString(sb);
}
public static void AssignParameter()
{
const int PROVIDER_RSA_FULL = 1;
const string CONTAINER_NAME = "SpiderContainer";
CspParameters cspParams;
cspParams = new CspParameters(PROVIDER_RSA_FULL);
}

CLOUD COMPUTING
Chapter 7
ANALYSIS OF OUR PROPOSED SCHEME
7.1 Security Analysis
We first analyze security properties of our proposed scheme, starting with the following
immediately available properties.
1) Fine-grainedness of Access Control: In our proposed scheme, the data owner is able to
define and enforce expressive and flexible access structure for each user. Specifically, the access
structure of each user is defined as a logic formula over data file attributes, and is able to
represent any desired data file set.
2) User Access Privilege Confidentiality: Our proposed scheme just discloses the leaf node
information of a user access tree to Cloud Servers. As interior nodes of an access tree can be any
threshold gates and are unknown to Cloud Servers, it is hard for Cloud Servers to recover the
access structure and thus derive user access privilege information.
3) User Secret Key Accountability: This property can be immediately achieved by using the
enhanced construction of KP-ABE which can be used to disclose the identities of key abusers.
Now we analyze data confidentiality of our proposed scheme by giving a cryptographic security
proof.
4) Data Confidentiality: We analyze data confidentiality of our proposed scheme by comparing
it with an intuitive scheme in which data files are encrypted using symmetric DEKs, and DEKs
are direclty encrypted using standard KP-ABE. Assuming the symmetric key algorithm is secure,
e.g., using standard symmtric key algorithm such as AES, security of this intuitive scheme is
merely relied on the security of KP-ABE. Actually, the standard KP-ABE is provably secure
under the attribute-based Selective-Set model given the Decisional Bilinear Diffie-Hellman
(DBDH) problem is hard. Therefore, the intuitive scheme is secure under the same model. Our
goal is to show that our proposed scheme is as secure as the intuitive scheme. As compared to the
intuitive scheme, our scheme discloses the following extra information to Cloud Servers: a
partial set of user secret key components (except for the one for the dummy attribute which is
required for each decryption), and the proxy re-encryption keys

CLOUD COMPUTING
7.2 Performance Analysis
This section numerically evaluates the performance of our proposed scheme in terms of the
computation overhead introduced by each operation as well as the ciphertext size.
1)Computation Complexity: We analyze the computation complexity for the following six
operations: system setup, new file creation, file deletion, new user grant, user revocation, and file
access. System Setup In this operation, the data owner needs to define underlying bilinear
groups, and generate PK and MK. As is described in Section III-A, the main computation
overhead for the generation of PK and MK is introduced by the N group multiplication
operations on G1. New File Creation The main computation overhead of this operation is the
encryption of the data file using the symmetric DEK as well as the encryption of the DEK using
KPABE. The complexity of the former depends on the size of the underlying data file and
inevitable for any cryptographic method. The computation overhead for the latter consists of |I|
multiplication operations on G1 and 1 multiplication operation on G2, where I denotes the
attribute set I of the data file. All these operations are for the data owner. File Deletion This
operation just involves the data owner and Cloud Servers. The former needs to compute one
signature and the latter verifies this signature. New User Grant This operation is executed
interactively by the data owner, Cloud Servers, and the user. The computation overhead for the
data owner is mainly composed of the generation of the user secret key and encryption of the
user secret key using the user’s public key. The former accounts for |L| multiplication operations
on G1, where L denotes the set of leaf nodes of the access tree. The latter accounts for one PKC
operation, e.g., RSA encryption. The main overhead for Cloud Servers is one signature
verification. The user needs to do two PKC operations, one for data decryption and the other for
signature verification. User Revocation This operation is composed of two stages. The second
stage can actually be amortized as the file access operation. Here we just counts the operation
overhead for the first stage. That for the second stage will be included in the file access
operation. The first stage occurs between the data owner and Cloud Servers. The computation
overhead for the data owner is caused by the execution of AMinimalSet and AUpdateAtt as well
as the generation of his signatures for the public key components.

CLOUD COMPUTING
The complexity of algorithm AMinimalSet is actually mainly contributed by the CNF conversion
operation which can be efficiently realized by existing algorithms such as (with the complexity
linear to the size of the access structure). Assuming the size of the minimal set returned by
AMinimalSet is D, D ≤ N, the computation overhead for AUpdateAtt is mainly contributed by D
multiplication operations on G1. In addition, the data owner also needs to compute D signatures
on public key components. The computation overhead on Cloud Servers in this stage is
negligible. When counting the complexity of user revocation, we use N instead of the size of the
access structure since in practical scenarios AMinimalSet is very efficient if we limit the size of
access structure (without affecting system scalability), but each signature or multiplication
operation on G1 is expensive. File Access This operation occurs between Cloud Servers and the
user. For Cloud Servers, the main computation overhead is caused by the execution of algorithm
AUpdateSK and algorithm AUpdateAtt4File. In the worst case, the algorithm AUpdateSK would
be called |L|−1 times, which represents |L|−1 multiplication operations on G1. Each execution of
the algorithm AUpdateAtt4File accounts for one multiplication operation on G1. In the worst
case, Cloud Servers need to call AUpdateAtt4File N times per file access. Our lazy re encryption
solution will greatly reduce the average system wide call times of these two algorithms from
statistical point of view. File decryption needs |L| bilinear pairing in the worst case. Table.7
summarizes the computation complexity of our proposed scheme.
Operation Complexity
File Creation
File Deletion
User Grant
User Revocation
File Access
O(|I|)
O(1)
O(|L|)
O(N)
O(max(|L|,N))
Table 7.1
7.3 SYSTEM ANALYSIS
7.3.1 Existing System:
Our existing solution applies cryptographic methods by disclosing data decryption keys
only to authorized users. These solutions inevitably introduce a heavy computation overhead on
the data owner for key distribution and data management when fine grained data access control is
desired, and thus do not scale well.

CLOUD COMPUTING
7.3.2 Proposed System:
In order to achieve secure, scalable and fine-grained access control on outsourced data in
the cloud, we utilize and uniquely combine the following three advanced cryptographic
techniques:
 Key Policy Attribute-Based Encryption (KP-ABE).
 Proxy Re-Encryption (PRE)
 Lazy re-encryption
Figure 7.1 SYSTEM ANALYSIS

CLOUD COMPUTING
Chapter 8
SYSTEM DESIGN
From the above project we have to Design some UML diagrams such as Use Case diagram,
Sequence diagram, Class diagram, Data Flow Diagram, E-R Diagram
USE CASE DIAGRAM:

CLOUD COMPUTING
CLASS DIAGRAM:
SEQUENCE DIAGRAM:

CLOUD COMPUTING
E-R Diagram:
Data Flow Diagram:
Level 0:

CLOUD COMPUTING
Level 1:

CLOUD COMPUTING
Chapter 9
SNAPSHOTS
When the project are running the page will be given as, First the owner has login on the cloud
server and next file will uploaded on to the cloud server.
Figure 9.1 Start page of owner login
File upload on to the cloud
Figure 9.2 Upload file for encrypted data

CLOUD COMPUTING
By next the user can access the file from the cloud server firstly he has registration to the access
point and then the user can have a public key and master key from that algorithm
Figure 9.3 Registration for user
After registration success the cloud server sends secret key to the user mail id.
Figure 9.4 Registration success after get secret key

CLOUD COMPUTING
After the registration process the get the secret key and then he has upload file to cloud which by
he has given from cloud server.
Figure 9.5 Send File to cloud
The file will selected from there cloud which has shown by the server.
Figure 9.6 Select File From Cloud

CLOUD COMPUTING
The will send to cloud then, using secret key for the download the file from the cloud.
Figure 9.7 Enter Secret Key
Download the file
Figure 9.8 Download Path

CLOUD COMPUTING
Database table:
Figure 9.9(a) Database table
User registration detail data:
Figure 9.9(b) Database table

CLOUD COMPUTING
Chapter 10
ADVANTAGES
 Low initial capital investment
 Shorter start-up time for new services
 Lower maintenance and operation costs
 Higher utilization through virtualization
 Easier disaster recovery

CLOUD COMPUTING
Chapter 11
DISADVANTAGES
 Software update could change security settings, assigning privileges too low
 Security concerns
 Control of your data/system by third-party

CLOUD COMPUTING
Chapter 12
CONCLUSION
This project constructs an ABE based cryptography scheme for implementing fine-grained access
control for cloud computing. The constructed scheme enables user accountability, which can be
used to prevent illegal key usages. we identify the need for fine-grained access control in cloud
computing. We achieve user accountability by inserting user specific information into users’
attribute private keys. We perform a comprehensive security analysis with respect to data
confidentiality and fine-grained access control. In this paper we propose a scheme to achieve this
goal by exploiting KPABE and uniquely combining it with techniques of proxy re-encryption
and lazy re-encryption. Moreover, our proposed scheme can enable the data owner to delegate
most of computation overhead to powerful cloud servers. Confidentiality of user access privilege
and user secret key accountability can be achieved. Formal security proofs show that our
proposed scheme is secure under standard cryptographic models.

Achieving Secure, sclable and finegrained Cloud computing report

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to Achieving Secure, sclable and finegrained Cloud computing report

Similar to Achieving Secure, sclable and finegrained Cloud computing report (20)

Recently uploaded

Recently uploaded (20)

Achieving Secure, sclable and finegrained Cloud computing report