Fine-Grained Access Control with User Revocation in Smart Manufacturing

This research has been founded by the European Union’s Horizon 2020 Research and Innovation program under grant agreement No. 871518, a project named COLLABS [19].Collaborative manufacturing is a key enabler of Industry 4.0 that requires secure data sharing among multiple parties. However, intercompany data-sharing raises important privacy and security concerns, particularly given intellectual property and business-sensitive information collected by many devices. In this paper, we propose a solution that combines four technologies to address these challenges: Attribute-Based Encryption for data access control, blockchain for data integrity and non-repudiation, Hardware Security Modules for authenticity, and the Interplanetary File System for data scalability. We also use OpenID for dynamic client identification and propose a new method for user revocation in Attribute-Based Encryption. Our evaluation shows that the solution can scale up to 2,000,000 clients while maintaining all security guarantees.European Union’s Horizon 2020, 87151

A COMPREHENSIVE STUDY OF CRYPTOGRAPHY AND KEY MANAGEMENT BASED SECURITY IN CLOUD COMPUTING

Cloud computing is a cost effective flexible and proven delivery platform for providing consumer IT services or business services over internet. It has an ability to provide many services over internet. It not only provides computing services but additional computing resources. To interact with various services in the cloud and to store retrieve data from cloud several security mechanism is required. Cryptography and key management mechanism are one of the import services in the cloud to secure data. In this context, this paper investigates the basic problem of cloud computing with cryptography and key management system for enabling support of interoperability between cloud cryptography client and key management services

Attribute-based encryption for cloud computing access control: A survey

National Research Foundation (NRF) Singapore; AXA Research Fun

Towards Cyber Security for Low-Carbon Transportation: Overview, Challenges and Future Directions

In recent years, low-carbon transportation has become an indispensable part as sustainable development strategies of various countries, and plays a very important responsibility in promoting low-carbon cities. However, the security of low-carbon transportation has been threatened from various ways. For example, denial of service attacks pose a great threat to the electric vehicles and vehicle-to-grid networks. To minimize these threats, several methods have been proposed to defense against them. Yet, these methods are only for certain types of scenarios or attacks. Therefore, this review addresses security aspect from holistic view, provides the overview, challenges and future directions of cyber security technologies in low-carbon transportation. Firstly, based on the concept and importance of low-carbon transportation, this review positions the low-carbon transportation services. Then, with the perspective of network architecture and communication mode, this review classifies its typical attack risks. The corresponding defense technologies and relevant security suggestions are further reviewed from perspective of data security, network management security and network application security. Finally, in view of the long term development of low-carbon transportation, future research directions have been concerned.Comment: 34 pages, 6 figures, accepted by journal Renewable and Sustainable Energy Review

Secure data sharing in cloud and IoT by leveraging attribute-based encryption and blockchain

“Data sharing is very important to enable different types of cloud and IoT-based services. For example, organizations migrate their data to the cloud and share it with employees and customers in order to enjoy better fault-tolerance, high-availability, and scalability offered by the cloud. Wearable devices such as smart watch share user’s activity, location, and health data (e.g., heart rate, ECG) with the service provider for smart analytic. However, data can be sensitive, and the cloud and IoT service providers cannot be fully trusted with maintaining the security, privacy, and confidentiality of the data. Hence, new schemes and protocols are required to enable secure data sharing in the cloud and IoT. This work outlines our research contribution towards secure data sharing in the cloud and IoT. For secure data sharing in the cloud, this work proposes several novel attribute-based encryption schemes. The core contributions to this end are efficient revocation, prevention of collusion attacks, and multi-group support. On the other hand, for secure data sharing in IoT, a permissioned blockchain-based access control system has been proposed. The system can be used to enforce fine-grained access control on IoT data where the access control decision is made by the blockchain-based on the consensus of the participating nodes”--Abstract, page iv

CAPD: A Context-Aware, Policy-Driven Framework for Secure and Resilient IoBT Operations

The Internet of Battlefield Things (IoBT) will advance the operational effectiveness of infantry units. However, this requires autonomous assets such as sensors, drones, combat equipment, and uncrewed vehicles to collaborate, securely share information, and be resilient to adversary attacks in contested multi-domain operations. CAPD addresses this problem by providing a context-aware, policy-driven framework supporting data and knowledge exchange among autonomous entities in a battlespace. We propose an IoBT ontology that facilitates controlled information sharing to enable semantic interoperability between systems. Its key contributions include providing a knowledge graph with a shared semantic schema, integration with background knowledge, efficient mechanisms for enforcing data consistency and drawing inferences, and supporting attribute-based access control. The sensors in the IoBT provide data that create populated knowledge graphs based on the ontology. This paper describes using CAPD to detect and mitigate adversary actions. CAPD enables situational awareness using reasoning over the sensed data and SPARQL queries. For example, adversaries can cause sensor failure or hijacking and disrupt the tactical networks to degrade video surveillance. In such instances, CAPD uses an ontology-based reasoner to see how alternative approaches can still support the mission. Depending on bandwidth availability, the reasoner initiates the creation of a reduced frame rate grayscale video by active transcoding or transmits only still images. This ability to reason over the mission sensed environment and attack context permits the autonomous IoBT system to exhibit resilience in contested conditions

Data security in cloud storage services

Cloud Computing is considered to be the next-generation architecture for ICT where it moves the application software and databases to the centralized large data centers. It aims to offer elastic IT services where clients can benefit from significant cost savings of the pay-per-use model and can easily scale up or down, and do not have to make large investments in new hardware. However, the management of the data and services in this cloud model is under the control of the provider. Consequently, the cloud clients have less control over their outsourced data and they have to trust cloud service provider to protect their data and infrastructure from both external and internal attacks. This is especially true with cloud storage services. Nowadays, users rely on cloud storage as it offers cheap and unlimited data storage that is available for use by multiple devices (e.g. smart phones, tablets, notebooks, etc.). Besides famous cloud storage providers, such as Amazon, Google, and Microsoft, more and more third-party cloud storage service providers are emerging. These services are dedicated to offering more accessible and user friendly storage services to cloud customers. Examples of these services include Dropbox, Box.net, Sparkleshare, UbuntuOne or JungleDisk. These cloud storage services deliver a very simple interface on top of the cloud storage provided by storage service providers. File and folder synchronization between different machines, sharing files and folders with other users, file versioning as well as automated backups are the key functionalities of these emerging cloud storage services. Cloud storage services have changed the way users manage and interact with data outsourced to public providers. With these services, multiple subscribers can collaboratively work and share data without concerns about their data consistency, availability and reliability. Although these cloud storage services offer attractive features, many customers have not adopted these services. Since data stored in these services is under the control of service providers resulting in confidentiality and security concerns and risks. Therefore, using cloud storage services for storing valuable data depends mainly on whether the service provider can offer sufficient security and assurance to meet client requirements. From the way most cloud storage services are constructed, we can notice that these storage services do not provide users with sufficient levels of security leading to an inherent risk on users\u27 data from external and internal attacks. These attacks take the form of: data exposure (lack of data confidentiality); data tampering (lack of data integrity); and denial of data (lack of data availability) by third parties on the cloud or by the cloud provider himself. Therefore, the cloud storage services should ensure the data confidentiality in the following state: data in motion (while transmitting over networks), data at rest (when stored at provider\u27s disks). To address the above concerns, confidentiality and access controllability of outsourced data with strong cryptographic guarantee should be maintained. To ensure data confidentiality in public cloud storage services, data should be encrypted data before it is outsourced to these services. Although, users can rely on client side cloud storage services or software encryption tools for encrypting user\u27s data; however, many of these services fail to achieve data confidentiality. Box, for example, does not encrypt user files via SSL and within Box servers. Client side cloud storage services can intentionally/unintentionally disclose user decryption keys to its provider. In addition, some cloud storage services support convergent encryption for encrypting users\u27 data exposing it to “confirmation of a file attack. On the other hand, software encryption tools use full-disk encryption (FDE) which is not feasible for cloud-based file sharing services, because it encrypts the data as virtual hard disks. Although encryption can ensure data confidentiality; however, it fails to achieve fine-grained access control over outsourced data. Since, public cloud storage services are managed by un-trusted cloud service provider, secure and efficient fine-grained access control cannot be realized through these services as these policies are managed by storage services that have full control over the sharing process. Therefore, there is not any guarantee that they will provide good means for efficient and secure sharing and they can also deduce confidential information about the outsourced data and users\u27 personal information. In this work, we would like to improve the currently employed security measures for securing data in cloud store services. To achieve better data confidentiality for data stored in the cloud without relying on cloud service providers (CSPs) or putting any burden on users, in this thesis, we designed a secure cloud storage system framework that simultaneously achieves data confidentiality, fine-grained access control on encrypted data and scalable user revocation. This framework is built on a third part trusted (TTP) service that can be employed either locally on users\u27 machine or premises, or remotely on top of cloud storage services. This service shall encrypts users data before uploading it to the cloud and decrypts it after downloading from the cloud; therefore, it remove the burden of storing, managing and maintaining encryption/decryption keys from data owner\u27s. In addition, this service only retains user\u27s secret key(s) not data. Moreover, to ensure high security for these keys, it stores them on hardware device. Furthermore, this service combines multi-authority ciphertext policy attribute-based encryption (CP-ABE) and attribute-based Signature (ABS) for achieving many-read-many-write fine-grained data access control on storage services. Moreover, it efficiently revokes users\u27 privileges without relying on the data owner for re-encrypting massive amounts of data and re-distributing the new keys to the authorized users. It removes the heavy computation of re-encryption from users and delegates this task to the cloud service provider (CSP) proxy servers. These proxy servers achieve flexible and efficient re-encryption without revealing underlying data to the cloud. In our designed architecture, we addressed the problem of ensuring data confidentiality against cloud and against accesses beyond authorized rights. To resolve these issues, we designed a trusted third party (TTP) service that is in charge of storing data in an encrypted format in the cloud. To improve the efficiency of the designed architecture, the service allows the users to choose the level of severity of the data and according to this level different encryption algorithms are employed. To achieve many-read-many-write fine grained access control, we merge two algorithms (multi-authority ciphertext policy attribute-based encryption (MA- CP-ABE) and attribute-based Signature (ABS)). Moreover, we support two levels of revocation: user and attribute revocation so that we can comply with the collaborative environment. Last but not least, we validate the effectiveness of our design by carrying out a detailed security analysis. This analysis shall prove the correctness of our design in terms of data confidentiality each stage of user interaction with the cloud

Fine-Grained Access Control with Attribute Based Cache Coherency for IoT with application to Healthcare

The Internet of Things (IoT) is getting popular everyday around the world. Given the endless opportunities it promises to provide, IoT is adopted by various organizations belonging to diverse domains. However, IoT’s “access by anybody from anywhere” concept makes it prone to numerous security challenges. Although data security is studied at various levels of IoT architecture, breach of data security due to internal parties has not received as much attention as that caused by external parties. When an organization with people spread across multiple levels of hierarchies with multiple roles adopts IoT, it is not fair to provide uniform access of the data to everyone. Past research has extensively investigated various Access Control techniques like Role Based Access Control (RBAC), Identity Based Access Control (IBAC), Attribute Based Access Control (ABAC) and other variations to address the above issue. While ABAC meets the needs of the growing amount of subjects and objects in an IoT environment, when implemented as an encryption algorithm (ABE) it does not cater to the IoT RDBMS applications. Also, given the query processing over huge encrypted data-set on the Cloud and the distance between the Cloud and the end-user, latency issues are highly prevalent in IoT applications. Various Client side caching and Server side caching techniques have been proposed to meet the latency issues in a Client-Server environment. Client side caching is more appropriate for an IoT environment given the dynamic connections and the large volume of requests to the Cloud per unit time. However, an IoT Cloud has mixed critical data to every user and conventional Client side caching techniques do not exploit this property of IoT data. In this work, we develop (i) an Attribute Based Access Control (ABAC) mechanism for the IoT data on the Cloud in order to provide a fine-grained access control in an organization and (ii) an Attribute Based Cache Consistency (ABCC) technique that tailors Cache Invalidation according to the users’ attributes to cater to the latency as well as criticality needs of different users. We implement and study these models on a Healthcare application comprising of a million Electronic Health Record (EHR) Cloud and a variety of end-users within a hospital trying to access various fields of the EHR from their Smart devices (such as Android phones). ABAC is evaluated with and without ABCC and we shall observe that ABAC with ABCC provides a lower average latency but a higher staleness percentage than the one without ABCC. However, the staleness percentage is negligible since we can see that much of the data that contributes to the staleness percentage are the non-critical data, thus making ABAC with ABCC an efficient approach for IoT based Cloud applications

Towards Secure and Intelligent Diagnosis: Deep Learning and Blockchain Technology for Computer-Aided Diagnosis Systems

Cancer is the second leading cause of death across the world after cardiovascular disease. The survival rate of patients with cancerous tissue can significantly decrease due to late-stage diagnosis. Nowadays, advancements of whole slide imaging scanners have resulted in a dramatic increase of patient data in the domain of digital pathology. Large-scale histopathology images need to be analyzed promptly for early cancer detection which is critical for improving patient's survival rate and treatment planning. Advances of medical image processing and deep learning methods have facilitated the extraction and analysis of high-level features from histopathological data that could assist in life-critical diagnosis and reduce the considerable healthcare cost associated with cancer. In clinical trials, due to the complexity and large variance of collected image data, developing computer-aided diagnosis systems to support quantitative medical image analysis is an area of active research. The first goal of this research is to automate the classification and segmentation process of cancerous regions in histopathology images of different cancer tissues by developing models using deep learning-based architectures. In this research, a framework with different modules is proposed, including (1) data pre-processing, (2) data augmentation, (3) feature extraction, and (4) deep learning architectures. Four validation studies were designed to conduct this research. (1) differentiating benign and malignant lesions in breast cancer (2) differentiating between immature leukemic blasts and normal cells in leukemia cancer (3) differentiating benign and malignant regions in lung cancer, and (4) differentiating benign and malignant regions in colorectal cancer. Training machine learning models, disease diagnosis, and treatment often requires collecting patients' medical data. Privacy and trusted authenticity concerns make data owners reluctant to share their personal and medical data. Motivated by the advantages of Blockchain technology in healthcare data sharing frameworks, the focus of the second part of this research is to integrate Blockchain technology in computer-aided diagnosis systems to address the problems of managing access control, authentication, provenance, and confidentiality of sensitive medical data. To do so, a hierarchical identity and attribute-based access control mechanism using smart contract and Ethereum Blockchain is proposed to securely process healthcare data without revealing sensitive information to an unauthorized party leveraging the trustworthiness of transactions in a collaborative healthcare environment. The proposed access control mechanism provides a solution to the challenges associated with centralized access control systems and ensures data transparency and traceability for secure data sharing, and data ownership