Study On Access Control Mechanism Of Cp-abe Under Cloud Storage Environment

As an important essential service, cloud storage has been widely acknowledged. Recently, a growing number of individuals and enterprises want to use cloud storage services to save huge quantities and variety of data, including some sensitive information(e.g. enterprises’ commercial secrets, users’ privacy). However, the cloud service provider(CSP) is not a completely trusted third-party. Therefore, it is an urgent problem that how to allow users to make full use of the computing and storage resources in cloud computing, and keep the users’ data confidential, protect the valid data from illegal access and modification as well as make the access control flexible and fine-grained at the same time.Access control based on cryptography is an important technology to protect the security of data and avoid accessing by illegal user. There are three main realization methods: public keys encryption, identity-based encryption and attribute-based encryption access control. Furthermore, the attribute-based encryption mechanism includes two main policies: Key Policy(KP-ABE) and Ciphertext Policy(CP-ABE). In CP-ABE, the ciphertext and the key is related to the access strategy and the attribute set respectively, Users can decrypt the ciphertext if and only if the attributes of users matching the strategy requirements. Consequently, CP-ABE can be well applied to the access control of shared ciphertextin cloud computing.This thesis aims at the security requirement of sensitive information in cloud storage, and focuses on the efficient and flexible CP-ABE access control scheme with fine-grained, ciphertext searching and proxy decryption services based on CP-ABE scheme, to avoid a high computation overhead and defects caused by the modification of access control policy. In particular, the main contributions of this thesis are list as follows.1. The encryption and decryption will involve a heavy computing cost when the existing CP-ABE is applied to the implementation of fine-grained access control. To avoid this problem, this thesis redesigns the access control scheme and proposes an optimization access control scheme named Digital Envelope Ciphertext Policy(DECP-ABE) based on the digital envelope. The main contribution of this scheme is that, it can not only be used to implement the fine-grained access control, but also can reduce the encryption computing cost of data owners(DO) and decryption computing cost of users. We also proved the scheme is Indistinguishablity under Chosen-Plaintext Attack(IND-CPA) in standard model. The performance simulation results also show the superiority of the proposed scheme in the performance of computing.2. By avoiding the inflexibility of modification of policy in CP-ABE(i.e., the encryption procedure must re-execute if the access control policy of CP-ABE changes), this thesis proposes an attributes quick changing access control scheme named Attribute-Based Access Control with Virtual Extension(AB-ACVE) by involving the virtual attribute nodes. The noteable contribution of the porposed scheme is that, by importing a few re-encryption ciphertexts of CSP, the policy attribute can be revoked or recovered flexibility without spending additional time to re-encryption under the access control policy tree with “AND” and “OR”. Security analysis and simulation experiments show that, compared with existing schemes, AB-ACVE can make the access control of policy attribute more flexible and efficient.3. Aiming at the high computational cost of the modification of ciphertext policy in CP-ABE, an access control scheme named AB-MSRKAS based on minimal sharing ciphertext multiple keys attribute set is provided. The main advantage of the proposed scheme is that, it can reduce the cost of re-encryption ciphertext of CSP effectively, while supporting the timely revocation of policy attribute. Security analysis and simulation experiments show that, the proposed scheme can not only maintain the advantages of original scheme(i.e., flexibility and fine-grained of access control), but also can reduce the system cost of DO and CSP.4. Due to the leakage of correlation information, the ciphertext retrieval service under traditional CP-ABE may lead to the damage of data confidentiality. To solve this problem, this thesis designs a searchable ciphertext scheme named Searcherble Ciphertext Policy(SE-CP-ABE) by combining CP-ABE and the homomorphic encryption algorithm. The main contribution of SE-CP-ABE is that, on the premise of guarantee the confidentiality of data, it can not only reduce the unnecessary network overhead caused by download of ciphertext retrieval, but also can ensure the implementation of ciphertext retrieval. Security analysis and simulation experiments also show the security and ciphertext retrieval efficiency in our scheme.5. Due to the limitation of computing and storage resources for the terminal user under cloud storage environment, the file sharing of ciphertext policy is difficult. In order to resolve this problem, under the assumption that intranet is security and trusted, this thesis design a local proxy decryption scheme named Local Proxy Decryption Ciphertext Policy(LPD-CP-ABE) by combining CP-ABE and digital signatures. In this scheme, the decryption operations are performed by proxy decryption server with permission of access control. The main advantage of this scheme is that, it can not only reduce the computing cost of the terminal user, but also ensure the intergrity of sharing ciphertext. Moreover, the analysis and simulation experiments also show the security and validity of the proposed scheme.In conclusion, under the condition that CSP is not completely trusted in cloud storage environment, this thesis studies the efficiency of CP-ABE, the modification of policy attributes and the application service. The main contributions of this thesis are summarized as follows:(1) a more efficient fine-grained access control scheme is designed;(2) an access control scheme can supporting the flexible modification of policy attributes is provided;(3) and on this basis, a cloud storage ciphertext searching scheme and a local proxy decryption scheme is proposed respectively. These achievements of this thesis can provide beneficial references for the study of security access control and the promotion as well as application of cloud storage.