Research On Access Control Mechanisms For Cloud Storage System From Attribute-based Encryption

Cloud storage is a new kind of storage patterns developed by cloud computing technology. Due to the low cost, the easy-to-use interface and highly scalability, it has been widely used by companies and individuals for data storage. But this new storage model has led to some problems with data security. For the sharing of data between different users in cloud computing environment,a malicious or unauthorized user could be able to access and modify other users' data in some way. Access control is an effective method to protect the security of data and the users' privacy. Now cloud storage service providers provide only a simple access control functions and can only ensure the security of user data with traditional encryption method. For the security of data in the complex cloud environment, these cloud storage service providers often fail to effectively achieve fine-grained access control. In addition, for some business or personal reason some of the data owners need strict access control. Ciphertext policy attribute based encryption(CP-ABE) is more suitable for the construction of cloud storage system access control mechanism. In CP-ABE scheme, the data owner encrypt data under the access structure and an attribute set are assigned to the users private key. If the users attribute set meet the access structure, the user can decrypt ciphertext. Users attributes revocation and grant are under the control of the authority and the data owner. So users attributes revocation and key update is an important issue, it affects the overhead and efficiency of the cloud storage system.We propose a ciphertext-policy attribute-based encryption scheme with attributes revocation. we do the following work :(1)Firstly, the access control tree is redesigned that the tree is divided into two parts. One part is the sub-tree access structure for read permission with an attribute set of user read permission. Another part is a sub-tree access structure of write permission with an attribute set of user read permission. Users private key is divided into two parts according the two sub-tree.(2)Secondly, in order to achieve efficient and real-time user attributes revocation the system model introduce proxy re-encryption agent which holds a part of the users' private key and a users attributes revocation list, proxy server re-encrypt the users' private key that the server stores so as to change user privileges. Key generation and distribution is done by data owners and the authority. Proxy server performs the re-encryption keys that reduce the cost of key management and maintains the attribute s revocation list, it also can change write permission by updating the users write permission private key.(3)We simulate our scheme and do performance analysis with other typical program. Simulation results and performance analysis show that the scheme of main performance advantage lies in the users attributes and attributes revocation that the computational cost is reduced greatly, and has the function of immediate revocation.