Privacy Preserving Delegated Access Control in Public Clouds

Mohamed Nabeel, Elisa Bertino

Research output: Contribution to journalArticle

47 Citations (Scopus)

Abstract

Current approaches to enforce fine-grained access control on confidential data hosted in the cloud are based on fine-grained encryption of the data. Under such approaches, data owners are in charge of encrypting the data before uploading them on the cloud and re-encrypting the data whenever user credentials change. Data owners thus incur high communication and computation costs. A better approach should delegate the enforcement of fine-grained access control to the cloud, so to minimize the overhead at the data owners, while assuring data confidentiality from the cloud. We propose an approach, based on two layers of encryption, that addresses such requirement. Under our approach, the data owner performs a coarse-grained encryption, whereas the cloud performs a fine-grained encryption on top of the owner encrypted data. A challenging issue is how to decompose access control policies (ACPs) such that the two layer encryption can be performed. We show that this problem is NP-complete and propose novel optimization algorithms. We utilize an efficient group key management scheme that supports expressive ACPs. Our system assures the confidentiality of the data and preserves the privacy of users from the cloud while delegating most of the access control enforcement to the cloud.

Original languageEnglish
Article number6509875
Pages (from-to)2268-2280
Number of pages13
JournalIEEE Transactions on Knowledge and Data Engineering
Volume26
Issue number9
DOIs
Publication statusPublished - 1 Sep 2014
Externally publishedYes

    Fingerprint

Keywords

  • access control
  • cloud computing
  • encryption
  • identity
  • policy decomposition
  • Privacy

ASJC Scopus subject areas

  • Information Systems
  • Computer Science Applications
  • Computational Theory and Mathematics

Cite this