Research On Attribute-Based Data Access Control In Cloud Storage

Cloud computing is a new and very promising computing paradigm, which is a significant achievement of a movement towards the intensive, large scale, standardized specialization and is widely regarded as an important source of growth in the field of Information Technology. However, with the continuous development and wide application, the problem of cloud computing security also gradually exposed, especially data security in cloud storage. Cloud storage is an important service of cloud computing. It allows data owners to host their data in the cloud that provides data access to the data consumers. Data owners will lose their control over the remote data and cannot guarantee data security after storing data on the cloud because cloud service providers will attempt to spy on user’s private data since it is naturally commercial, while the privileged user may obtain data illegally. Therefore, we must pay attention to ensure the confidentiality of sensitive data and provide the service of secure and legal data access control.To prevent cloud server and privileged users from unauthorized access to data and achieve fine-grained access control, we transplant attribute-based encryption (ABE) into cloud storage system. As a public key mechanism, ABE supports one-to-many communication mode. Compared to traditional public key infrastructure (PKI), ABE has incomparable advantages. First of all, the encrypting party does not need to know the public key certificate of the decrypting party. Second, it is a group of decrypting parties, not one could be able to decrypt the ciphertext so the encrypting party does not need to encrypt the same many times. Last but not least, ABE provides flexible access policy and achieves fine-grained access control.Although ABE is quite suitable for application with high rate of sharing, the problem of applying the ABE to cloud storage system brings several challenges with regard to the attribute and user revocation. When user sends a join or leave system request, and holds or drops some attribute, the authority must guarantee the backward and forward secrecy of the data by updating data owners’ ciphertexts and data consumers’ keys.This article mainly concentrates on the issue of attribute-based encryption access control in cloud storage system. The main work of this thesis is as follows:Firstly, we describe two popular cloud storage systems at present and analyse the general situation of the research on attribute based encryption (ABE) mechanism.Secondly, we study the problem of permission revocation in ciphertext-policy attribute encryption (CP-ABE). To address this challenging issue, we propose a fine-grained data access control with efficient revocation in cloud storage system by introducing the concept of attribute group and applying broadcast encryption to CP-ABE. The proposed scheme is collusion-resistant. It cannot only guarantee data confidentiality of the outsourced data but also ensure backward and forward secrecy. Besides, it reduces the workload of trust authority.Thirdly, we study the problem of direct and indirect revocation in CP-ABE. Most of existing CP-ABE schemes support either direct revocation or indirect revocation. To resolve this issue, we propose a CP-ABE scheme supporting both direct and indirect revocation. When a user is revoked, we then delete the specified ID from legal user list. When attribute revocation occurs, we apply the technology of attribute version control to generate a key to update users’secret key and data owner’s ciphertext. The proposed scheme absorbs the advantages of the two revocation modes fully so it can not only satisfy the security features of CP-ABE but also improve the efficiency of revocation.Finally, we analyse and summarize several key problems that still exist in the data access control in cloud storage, and point out the direction of future research.