Privacy Preserving Delegated Access Control in Public Clouds

Mohamed Nabeel, Elisa Bertino

Research output: Contribution to journalArticle

46 Citations (Scopus)

Abstract

Current approaches to enforce fine-grained access control on confidential data hosted in the cloud are based on fine-grained encryption of the data. Under such approaches, data owners are in charge of encrypting the data before uploading them on the cloud and re-encrypting the data whenever user credentials change. Data owners thus incur high communication and computation costs. A better approach should delegate the enforcement of fine-grained access control to the cloud, so to minimize the overhead at the data owners, while assuring data confidentiality from the cloud. We propose an approach, based on two layers of encryption, that addresses such requirement. Under our approach, the data owner performs a coarse-grained encryption, whereas the cloud performs a fine-grained encryption on top of the owner encrypted data. A challenging issue is how to decompose access control policies (ACPs) such that the two layer encryption can be performed. We show that this problem is NP-complete and propose novel optimization algorithms. We utilize an efficient group key management scheme that supports expressive ACPs. Our system assures the confidentiality of the data and preserves the privacy of users from the cloud while delegating most of the access control enforcement to the cloud.

Original languageEnglish
Article number6509875
Pages (from-to)2268-2280
Number of pages13
JournalIEEE Transactions on Knowledge and Data Engineering
Volume26
Issue number9
DOIs
Publication statusPublished - 1 Sep 2014
Externally publishedYes

Fingerprint

Access control
Cryptography
Computational complexity
Communication
Costs

Keywords

  • access control
  • cloud computing
  • encryption
  • identity
  • policy decomposition
  • Privacy

ASJC Scopus subject areas

  • Information Systems
  • Computer Science Applications
  • Computational Theory and Mathematics

Cite this

Privacy Preserving Delegated Access Control in Public Clouds. / Nabeel, Mohamed; Bertino, Elisa.

In: IEEE Transactions on Knowledge and Data Engineering, Vol. 26, No. 9, 6509875, 01.09.2014, p. 2268-2280.

Research output: Contribution to journalArticle

@article{367427d93adc4167bc47c4712d2b5637,
title = "Privacy Preserving Delegated Access Control in Public Clouds",
abstract = "Current approaches to enforce fine-grained access control on confidential data hosted in the cloud are based on fine-grained encryption of the data. Under such approaches, data owners are in charge of encrypting the data before uploading them on the cloud and re-encrypting the data whenever user credentials change. Data owners thus incur high communication and computation costs. A better approach should delegate the enforcement of fine-grained access control to the cloud, so to minimize the overhead at the data owners, while assuring data confidentiality from the cloud. We propose an approach, based on two layers of encryption, that addresses such requirement. Under our approach, the data owner performs a coarse-grained encryption, whereas the cloud performs a fine-grained encryption on top of the owner encrypted data. A challenging issue is how to decompose access control policies (ACPs) such that the two layer encryption can be performed. We show that this problem is NP-complete and propose novel optimization algorithms. We utilize an efficient group key management scheme that supports expressive ACPs. Our system assures the confidentiality of the data and preserves the privacy of users from the cloud while delegating most of the access control enforcement to the cloud.",
keywords = "access control, cloud computing, encryption, identity, policy decomposition, Privacy",
author = "Mohamed Nabeel and Elisa Bertino",
year = "2014",
month = "9",
day = "1",
doi = "10.1109/TKDE.2013.68",
language = "English",
volume = "26",
pages = "2268--2280",
journal = "IEEE Transactions on Knowledge and Data Engineering",
issn = "1041-4347",
publisher = "IEEE Computer Society",
number = "9",

}

TY - JOUR

T1 - Privacy Preserving Delegated Access Control in Public Clouds

AU - Nabeel, Mohamed

AU - Bertino, Elisa

PY - 2014/9/1

Y1 - 2014/9/1

N2 - Current approaches to enforce fine-grained access control on confidential data hosted in the cloud are based on fine-grained encryption of the data. Under such approaches, data owners are in charge of encrypting the data before uploading them on the cloud and re-encrypting the data whenever user credentials change. Data owners thus incur high communication and computation costs. A better approach should delegate the enforcement of fine-grained access control to the cloud, so to minimize the overhead at the data owners, while assuring data confidentiality from the cloud. We propose an approach, based on two layers of encryption, that addresses such requirement. Under our approach, the data owner performs a coarse-grained encryption, whereas the cloud performs a fine-grained encryption on top of the owner encrypted data. A challenging issue is how to decompose access control policies (ACPs) such that the two layer encryption can be performed. We show that this problem is NP-complete and propose novel optimization algorithms. We utilize an efficient group key management scheme that supports expressive ACPs. Our system assures the confidentiality of the data and preserves the privacy of users from the cloud while delegating most of the access control enforcement to the cloud.

AB - Current approaches to enforce fine-grained access control on confidential data hosted in the cloud are based on fine-grained encryption of the data. Under such approaches, data owners are in charge of encrypting the data before uploading them on the cloud and re-encrypting the data whenever user credentials change. Data owners thus incur high communication and computation costs. A better approach should delegate the enforcement of fine-grained access control to the cloud, so to minimize the overhead at the data owners, while assuring data confidentiality from the cloud. We propose an approach, based on two layers of encryption, that addresses such requirement. Under our approach, the data owner performs a coarse-grained encryption, whereas the cloud performs a fine-grained encryption on top of the owner encrypted data. A challenging issue is how to decompose access control policies (ACPs) such that the two layer encryption can be performed. We show that this problem is NP-complete and propose novel optimization algorithms. We utilize an efficient group key management scheme that supports expressive ACPs. Our system assures the confidentiality of the data and preserves the privacy of users from the cloud while delegating most of the access control enforcement to the cloud.

KW - access control

KW - cloud computing

KW - encryption

KW - identity

KW - policy decomposition

KW - Privacy

UR - http://www.scopus.com/inward/record.url?scp=84948655533&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84948655533&partnerID=8YFLogxK

U2 - 10.1109/TKDE.2013.68

DO - 10.1109/TKDE.2013.68

M3 - Article

VL - 26

SP - 2268

EP - 2280

JO - IEEE Transactions on Knowledge and Data Engineering

JF - IEEE Transactions on Knowledge and Data Engineering

SN - 1041-4347

IS - 9

M1 - 6509875

ER -