ABEBox: A data driven access control for securing public cloud storage with efficient key revocation

Besides providing data sharing, commercial cloud-based storage services (e.g., Dropbox) also enforce access control, i.e. permit users to decide who can access which data. In this paper we advocate the separation between the sharing of data and the access control function. We specifically promote an overlay approach which provides end-to-end encryption and empowers the end users with the possibility to enforce access control policies without involving the cloud provider itself. To this end, our proposal, named ABEBox, relies on the careful combination of i) attribute-based encryption for custom policy definition and management, with ii) proxy re-encryption to provide scalable re-keying and protection to key-scraping attacks, with a novel revocation procedure. Moreover, iii) we concretely embed our protection mechanisms inside a public domain virtual file system module to provide an overlay and trivial-to-use transparent service which can be deployed on top of any arbitrary cloud storage provider.

[1]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[2]  Bobby Bhattacharjee,et al.  Persona: an online social network with user-defined privacy , 2009, SIGCOMM '09.

[3]  Suhair Alshehri,et al.  Toward Effective Access Control Using Attributes and Pseudoroles , 2014 .

[4]  Prateek Mittal,et al.  EASiER: encryption-based access control in social networks with efficient revocation , 2011, ASIACCS '11.

[5]  Brent Waters,et al.  Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption , 2015, Financial Cryptography.

[6]  Jie Cui,et al.  Multi-authority attribute-based encryption access control scheme with policy hidden for cloud storage , 2016, Soft Computing.

[7]  Hai Jiang,et al.  P-CP-ABE: Parallelizing Ciphertext-Policy Attribute-Based Encryption for clouds , 2016, 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD).

[8]  S. Singhal,et al.  Outsourcing Business to Cloud Computing Services: Opportunities and Challenges , 2009 .

[9]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[10]  Máté Horváth,et al.  Attribute-Based Encryption Optimized for Cloud Computing , 2015, IACR Cryptol. ePrint Arch..

[11]  Tsz Hon Yuen,et al.  Fully Secure Multi-authority Ciphertext-Policy Attribute-Based Encryption without Random Oracles , 2011, ESORICS.

[12]  Robert H. Deng,et al.  Revocable and Decentralized Attribute-Based Encryption , 2016, Comput. J..

[13]  Erez Zadok,et al.  To FUSE or Not to FUSE: Performance of User-Space File Systems , 2017, FAST.

[14]  Gyu Myoung Lee,et al.  Survey on Revocation in Ciphertext-Policy Attribute-Based Encryption , 2019, Sensors.

[15]  Steven Myers,et al.  Efficient Hybrid Proxy Re-Encryption for Practical Revocation and Key Rotation , 2017, IACR Cryptol. ePrint Arch..

[16]  Jiguo Li,et al.  Privacy-Preserving Decentralized Ciphertext-Policy Attribute-Based Encryption with Fully Hidden Access Structure , 2013, ICICS.

[17]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[18]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[19]  Allison Bishop,et al.  New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques , 2012, CRYPTO.

[20]  Jörn Müller-Quade,et al.  A Novel Cryptographic Framework for Cloud File Systems and CryFS, a Provably-Secure Construction , 2017, DBSec.

[21]  Matthew Green,et al.  Identity-Based Proxy Re-encryption , 2007, ACNS.

[22]  Sebastian Messmer CryFS: Design and Implementation of a Provably Secure Encrypted Cloud Filesystem , 2015 .

[23]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.