Abstract
CP-ABE (Ciphertext-Policy Attribute-Based Encryption) with hidden access control policy enables data owners to share their encrypted data using cloud storage with authorized users while keeping the access control policies blinded. However, a mechanism to prevent users from achieving successive access to a data owner’s certain number of data objects, which present a conflict of interest or whose combination thereof is sensitive, has yet to be studied. In this paper, we analyze the underlying relations among these particular data objects, introduce the concept of the sensitive data set constraint, and propose a CP-ABE access control scheme with hidden attributes for the sensitive data set constraint. This scheme incorporates extensible, partially hidden constraint policy. In our scheme, due to the separation of duty principle, the duties of enforcing the access control policy and the constraint policy are divided into two independent entities to enhance security. The hidden constraint policy provides flexibility in that the data owner can partially change the sensitive data set constraint structure after the system has been set up.
Highlights
With the advancement of cloud computing [1], an increasing number of organizations and individual users are willing to store their private data in cloud storage to share with others
To handle the constraint for a sensitive data set stored in cloud storage that utilizes CP-ABE, we propose a CP-ABE access control scheme for sensitive data sets with a flexible, partially hidden constraint policy; in addition, the scheme retains the features of the hidden access control policy
We proposed an access control approach for generalized sensitive data set (SDS) constraints for cloud storage; the constraint originated from the SOD of RBAC and the Chinese Wall security policy
Summary
With the advancement of cloud computing [1], an increasing number of organizations and individual users are willing to store their private data in cloud storage to share with others. In the CP-ABE scenario, it is inappropriate to split all users into two mutually disjoint sets beforehand by choosing an access structure for the two data objects This is because an authorized user is initially supposed to be able to access either of the two data objects freely. For cloud storage, where the access control is realized via CP-ABE, there remains no such mechanism for effectively controlling a user’s successive access to data objects from a data owner’s sensitive data set to prevent commercial fraud, mistakes, or the leakage of critical information. To handle the sensitive data set constraint, an entity in the system needs to know whether the user has the ability to decrypt the data objects in the sensitive data set without knowing any information about the access control policy of the data object.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
