Mediated Ciphertext-Policy Attribute-Based Encryption and its Application (extended version)

In Ciphertext-Policy Attribute-Based Encryption (CP-ABE), a user secret key is associated with a set of attributes, and the ciphertext is associated with an access policy over attributes. The user can decrypt the ciphertext if and only if the attribute set of his secret key satisfies the access policy specified in the ciphertext. Several CP-ABE schemes have been proposed, however, some practical problems, such as attribute revocation, still needs to be addressed. In this paper, we propose a mediated Ciphertext-Policy Attribute-Based Encryption (mCP-ABE) which extends CP-ABE with instantaneous attribute revocation. Furthermore, we demonstrate how to apply the proposed mCP-ABE scheme to securely manage Personal Health Records (PHRs)

SECURE, POLICY-BASED, MULTI-RECIPIENT DATA SHARING

In distributed systems users often need to share sensitive data with other users based on the latter's ability to satisfy various policies. In many cases the data owner may not even know the identities of the data recipients, but deems it crucial that they are legitimate; i.e., satisfy the policy. Enabling such data sharing over the Internet faces the challenge of (1) securely associating access policies with data and enforcing them, and (2) protecting data as it traverses untrusted proxies and intermediate repositories. Furthermore, it is desirable to achieve properties such as: (1) flexibility of access policies; (2) privacy of sensitive access policies; (3) minimal reliance on trusted third parties; and (4) efficiency of access policy enforcement. Often schemes enabling controlled data sharing need to trade one property for another. In this dissertation, we propose two complimentary policy-based data sharing schemes that achieve different subsets of the above desired properties. In the first part of this dissertation, we focus on CiphertextPolicy Attribute- Based Encryption (CP-ABE) schemes that specify and enforce access policies cryptographically and eliminate trusted mediators. We motivate the need for flexible attribute organization within user keys for efficient support of many practical applications. We then propose Ciphertext-Policy Attribute-Set Based Encryption (CP-ASBE) which is the first CP-ABE scheme to (1) efficiently support naturally occurring compound attributes, (2) support multiple numerical assignments for a given attribute in a single key and (3) provide efficient key management. While the CP-ASBE scheme minimizes reliance on trusted mediators, it can support neither context-based policies nor policy privacy. In the second part of this dissertation, we propose Policy Based Encryption System (PBES), which employs mediated decryption and supports both context-based policies and policy privacy. Finally, we integrate the proposed schemes into practical applications (i.e., CP-ASBE scheme with Attribute-Based Messaging (ABM) and PBES scheme with a conditional data sharing application in the Power Grid) and demonstrate their usefulness in practice

State of The Art and Hot Aspects in Cloud Data Storage Security

Along with the evolution of cloud computing and cloud storage towards matu- rity, researchers have analyzed an increasing range of cloud computing security aspects, data security being an important topic in this area. In this paper, we examine the state of the art in cloud storage security through an overview of selected peer reviewed publications. We address the question of defining cloud storage security and its different aspects, as well as enumerate the main vec- tors of attack on cloud storage. The reviewed papers present techniques for key management and controlled disclosure of encrypted data in cloud storage, while novel ideas regarding secure operations on encrypted data and methods for pro- tection of data in fully virtualized environments provide a glimpse of the toolbox available for securing cloud storage. Finally, new challenges such as emergent government regulation call for solutions to problems that did not receive enough attention in earlier stages of cloud computing, such as for example geographical location of data. The methods presented in the papers selected for this review represent only a small fraction of the wide research effort within cloud storage security. Nevertheless, they serve as an indication of the diversity of problems that are being addressed

Cloud Storage That Makes Use Of A Feature-Based Encoding Hierarchy To Maximize Efficiency

Sharing data securely in the cloud is a major difficulty, but cipher text-policy attribute-based encryption has emerged as a top tool for meeting this need. The shared data files used in many different professions, including medicine and the military, have a multi-tiered, intricate structure. The file-sharing structure, however, has not been studied in cipher text-policy attribute-based encryption. Here, we provide a novel cloud-based encryption approach that takes advantage of hierarchies of file attributes. Before encrypting a folder tree, it is common practice to merge the various access controls into a single control scheme. Some components of the encryption text that pertain to attributes might be reused between files. The time and money needed to store encrypted documents and conduct encryption are therefore minimized. Finally, it is demonstrated that the proposed method is safe under the null hypothesis. In experimental simulations of encryption and decryption, the proposed method has been proven to be exceedingly efficient. Our method's advantages become more evident as more data is included

Functional Encryption as Mediated Obfuscation

We introduce a new model for program obfuscation, called mediated obfuscation. A mediated obfuscation is a 3-party protocol for evaluating an obfuscated program that requires minimal interaction and limited trust. The party who originally supplies the obfuscated program need not be online when the client wants to evaluate the program. A semi-trusted third-party mediator allows the client to evaluate the program, while learning nothing about the obfuscated program or the client’s inputs and outputs. Mediated obfuscation would provide the ability for a software vendor to safely outsource the less savory aspects (like accounting of usage statistics, and remaining online to facilitate access) of “renting out” access to proprietary software. We give security definitions for this new obfuscation paradigm, and then present a simple and generic construction based on functional encryption. If a functional encryption scheme supports decryption functionality F (m, k), then our construction yields a mediated obfuscation of the class of functions {F (m, ·) | m}. In our construction, the interaction between the client and the mediator is minimal (much more efficient than a general- purpose multi-party computation protocol). Instantiating with existing FE constructions, we achieve obfuscation for point-functions with output (under a strong “virtual black-box” notion of security), and a general feasibility result for obfuscating conjunctive normal form and disjunctive normal form formulae (under a weaker “semantic” notion of security). Finally, we use mediated obfuscation to illustrate a connection between worst-case and average-case static obfuscation. In short, an average-case (static) obfuscation of some component of a suitable functional encryption scheme yields a worst-case (static) obfuscation for a related class of functions. We use this connection to demonstrate new impossibility results for average-case (static) obfuscation

Secure Data Sensor In Environmental Monitoring System Using Attribute-Based Encryption With Revocation

Wireless sensor networks in internet of thing era have many applications, one of them for environment system, in environmental monitoring system everybody can access data anytime and anywhere. Information was collected using wireless sensor network, all of the data will be sent and stored in the data center. All of data in the data center can be accessed by users through HTTP protocol using a laptop, smartphone and Personal computer. The data in the data center must be secured and the data should be protected from the illegal access by the users from the environment monitoring. To secure the data from the illegal access by the user then the environment monitoring required a security with revocation aspect and encryption the data. CP-ABE (Ciphertext-Policy Attribute-Based Encryption) becomes a solution for this issue, to protect the sensor data and revoke the user. We propose a secure system using CP-ABE with user revocation for protecting the data in data center. Our system is not only encrypting the data sensor, but also revoke to the user. Our experiments system using CP-ABE showed the result for secure the sensor data and revoked the user who does not have the access rights. there are only 2 second processing time for revocation check users.

Health Access Broker: Secure, Patient-Controlled Management of Personal Health Records in the Cloud

Secure and privacy-preserving management of Personal Health Records (PHRs) has proved to be a major challenge in modern healthcare. Current solutions generally do not offer patients a choice in where the data is actually stored and also rely on at least one fully trusted element that patients must also trust with their data. In this work, we present the Health Access Broker (HAB), a patient-controlled service for secure PHR sharing that (a) does not impose a specific storage location (uniquely for a PHR system), and (b) does not assume any of its components to be fully secure against adversarial threats. Instead, HAB introduces a novel auditing and intrusion-detection mechanism where its workflow is securely logged and continuously inspected to provide auditability of data access and quickly detect any intrusions.Comment: Copy of the paper accepted at 13th International Conference on Computational Intelligence in Security for Information Systems (CISIS

A New Method IBE Interfaced with Private Key Generation and Public Key Infrastructure to Achieve High Data Security

A New Method IBE Interfaced with Private Key Generation and Public Key Infrastructure to Achieve High Data Securit