Fine-Grained Access Control Systems Suitable for Resource-Constrained Users in Cloud Computing

For the sake of practicability of cloud computing, fine-grained data access is frequently required in the sense that users with different attributes should be granted different levels of access privileges. However, most of existing access control solutions are not suitable for resource-constrained users because of large computation costs, which linearly increase with the complexity of access policies. In this paper, we present an access control system based on ciphertext-policy attribute-based encryption. The proposed access control system enjoys constant computation cost and is proven secure in the random oracle model under the decision Bilinear Diffie-Hellman Exponent assumption. Our access control system supports AND-gate access policies with multiple values and wildcards, and it can efficiently support direct user revocation. Performance comparisons indicate that the proposed solution is suitable for resource-constrained environment

Estudi de la coautoria de publicacions científiques entre UPC i institucions de Xina

S'analitza la coautoria de la UPC amb autors vinculats a institucions de Xina, per totes les areas temàtiques i sense considerar límits cronològics o documentals.Postprint (author’s final draft

Abordagens sobre computação na nuvem: uma breve revisão sobre segurança e privacidade aplicada a e-saúde no contexto do Programa Conecte SUS e Rede Nacional de Dados em Saúde (RNDS) / Approaches to cloud computing: a brief review of security and privacy applied to e-health in the context of the Connect SUS Program and the National Health Data Network (RNDS)

 No presente artigo, apresentamos uma breve revisão da literatura para e-saúde em ambiente de armazenamento na nuvem. Foram selecionados artigos nas fontes da Medline e Google Scholar, objetivando encontrar informações recentes sobre esta tecnologia emergente para os serviços de saúde. Com relevância à segurança e privacidade de dados em diferentes estudos de computação em nuvem abordaram este tema. Armazenar informações como prontuários eletrônicos e dados relacionados à saúde na nuvem, requerer precauções para garantir a segurança e confidencialidade. Os provedores deste serviço devem garantir que os mecanismos de segurança estejam em vigor para evitar acesso não autorizado e violações de dados. O conhecimento na área de e-saúde e do Programa Conecte SUS também são abordados na sua essência quanto as necessidades de tratamentos na proteção dos dados. A LGPD é apresentada como um marco inovador na questão da conduta e cuidados que as empresas, profissionais e usuários devem ter na utilização dos sistemas e aplicativos em nuvem. Ademais, tópicos importantes da Rede Nacional de Dados em Saúde, ressaltam que os pacientes devem ser mantidos informados sobre como seus dados de saúde devem ser armazenados e gerenciados. O bom senso, o consentimento, a análise da importância na manutenção de dados específicos relativizados à proteção das informações e penalidades impostas no caso de uso indevido são aqui analisadas

Integrated, reliable and cloud-based personal health record: a scoping review.

Personal Health Records (PHR) emerge as an alternative to integrate patient’s health information to give a global view of patients' status. However, integration is not a trivial feature when dealing with a variety electronic health systems from healthcare centers. Access to PHR sensitive information must comply with privacy policies defined by the patient. Architecture PHR design should be in accordance to these, and take advantage of nowadays technology. Cloud computing is a current technology that provides scalability, ubiquity, and elasticity features. This paper presents a scoping review related to PHR systems that achieve three characteristics: integrated, reliable and cloud-based. We found 101 articles that addressed thosecharacteristics. We identified four main research topics: proposal/developed systems, PHR recommendations for development, system integration and standards, and security and privacy. Integration is tackled with HL7 CDA standard. Information reliability is based in ABE security-privacy mechanism. Cloud-based technology access is achieved via SOA.CONACYT - Consejo Nacional de Ciencia y TecnologíaPROCIENCI

Privacy-aware attribute-based PHR sharing with user accountability in cloud computing

This is a copy of the author 's final draft version of an article published in the journal Journal of supercomputing. The final publication is available at Springer via http://dx.doi.org/10.1007/s11227-014-1253-3As an emerging patient-centric model of health information exchange, personal health record (PHR) is often outsourced to be stored at a third party. The value of PHR data is its long-term cumulative record relevant with personal health which can be significant in the future when faced with disease occurrences. As a promising public key primitive, attribute-based encryption (ABE) has been used to design PHR sharing systems. However, the existing solutions fail to achieve several important security objectives, that is, no need for a single authority to issue private keys to all PHR users, user access privacy protection, and user accountability. In this paper, we propose a multi-authority ciphertext-policy ABE scheme with user accountability and apply it to design an attribute-based PHR sharing system. In the proposed solution, the access policy is hidden and hence user access privacy is protected. In particular, the global identity of a misbehaving PHR user who leaked the decryption key to other unauthorized users can be traced, and thus the trust assumptions on both the authorities and the PHR users are reduced. Extensive analysis shows that the proposed scheme is provably secure and efficient.Peer Reviewe

Articles indexats publicats per investigadors del Campus de Terrassa: 2015

Aquest informe recull els 284 treballs publicats per 218 investigadors/es del Campus de Terrassa en revistes indexades al Journal Citation Report durant el 2015Postprint (published version

Securing clouds using cryptography and traffic classification

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Over the last decade, cloud computing has gained popularity and wide acceptance, especially within the health sector where it offers several advantages such as low costs, flexible processes, and access from anywhere. Although cloud computing is widely used in the health sector, numerous issues remain unresolved. Several studies have attempted to review the state of the art in eHealth cloud privacy and security however, some of these studies are outdated or do not cover certain vital features of cloud security and privacy such as access control, revocation and data recovery plans. This study targets some of these problems and proposes protocols, algorithms and approaches to enhance the security and privacy of cloud computing with particular reference to eHealth clouds. Chapter 2 presents an overview and evaluation of the state of the art in eHealth security and privacy. Chapter 3 introduces different research methods and describes the research design methodology and processes used to carry out the research objectives. Of particular importance are authenticated key exchange and block cipher modes. In Chapter 4, a three-party password-based authenticated key exchange (TPAKE) protocol is presented and its security analysed. The proposed TPAKE protocol shares no plaintext data; all data shared between the parties are either hashed or encrypted. Using the random oracle model (ROM), the security of the proposed TPAKE protocol is formally proven based on the computational Diffie-Hellman (CDH) assumption. Furthermore, the analysis included in this chapter shows that the proposed protocol can ensure perfect forward secrecy and resist many kinds of common attacks such as man-in-the-middle attacks, online and offline dictionary attacks, replay attacks and known key attacks. Chapter 5 proposes a parallel block cipher (PBC) mode in which blocks of cipher are processed in parallel. The results of speed performance tests for this PBC mode in various settings are presented and compared with the standard CBC mode. Compared to the CBC mode, the PBC mode is shown to give execution time savings of 60%. Furthermore, in addition to encryption based on AES 128, the hash value of the data file can be utilised to provide an integrity check. As a result, the PBC mode has a better speed performance while retaining the confidentiality and security provided by the CBC mode. Chapter 6 applies TPAKE and PBC to eHealth clouds. Related work on security, privacy preservation and disaster recovery are reviewed. Next, two approaches focusing on security preservation and privacy preservation, and a disaster recovery plan are proposed. The security preservation approach is a robust means of ensuring the security and integrity of electronic health records and is based on the PBC mode, while the privacy preservation approach is an efficient authentication method which protects the privacy of personal health records and is based on the TPAKE protocol. A discussion about how these integrated approaches and the disaster recovery plan can ensure the reliability and security of cloud projects follows. Distributed denial of service (DDoS) attacks are the second most common cybercrime attacks after information theft. The timely detection and prevention of such attacks in cloud projects are therefore vital, especially for eHealth clouds. Chapter 7 presents a new classification system for detecting and preventing DDoS TCP flood attacks (CS_DDoS) for public clouds, particularly in an eHealth cloud environment. The proposed CS_DDoS system offers a solution for securing stored records by classifying incoming packets and making a decision based on these classification results. During the detection phase, CS_DDOS identifies and determines whether a packet is normal or from an attacker. During the prevention phase, packets classified as malicious are denied access to the cloud service, and the source IP is blacklisted. The performance of the CS_DDoS system is compared using four different classifiers: a least-squares support vector machine (LS-SVM), naïve Bayes, K-nearest-neighbour, and multilayer perceptron. The results show that CS_DDoS yields the best performance when the LS-SVM classifier is used. This combination can detect DDoS TCP flood attacks with an accuracy of approximately 97% and a Kappa coefficient of 0.89 when under attack from a single source, and 94% accuracy and a Kappa coefficient of 0.9 when under attack from multiple attackers. These results are then discussed in terms of the accuracy and time complexity, and are validated using a k-fold cross-validation model. Finally, a method to mitigate DoS attacks in the cloud and reduce excessive energy consumption through managing and limiting certain flows of packets is proposed. Instead of a system shutdown, the proposed method ensures the availability of service. The proposed method manages the incoming packets more effectively by dropping packets from the most frequent requesting sources. This method can process 98.4% of the accepted packets during an attack. Practicality and effectiveness are essential requirements of methods for preserving the privacy and security of data in clouds. The proposed methods successfully secure cloud projects and ensure the availability of services in an efficient way