Achieve Access Control Research Articles

SMKA: Secure multi-key aggregation with verifiable search for IoMT

The Internet of Medical Things (IoMT) aggregates numerous smart medical devices and fully employs the collected health data to enhance patients’ experiences. In IoMT, patients generate various encryption keys and receive keyword information sent by data requesters to securely share selected health data, which increases the potential risk of key leakage. Besides, the cloud server may tamper with search results. The existing schemes did not consider that patients may inadvertently disclose the keyword information of data requesters. Additionally, these schemes entail a significant cost for verifying the search results. To deal with these challenges, we innovatively propose a secure multi-key aggregation (SMKA) scheme with verifiable search for IoMT. Firstly, the SMKA scheme is built upon key-aggregate searchable encryption, utilizing an oblivious search request and blockchain technology to achieve secure key aggregation. Secondly, a dual verifiable algorithm is integrated into the scheme to provide lightweight verification for the search results. The proposed scheme can achieve access control, requester privacy, accountability, and dual verification while ensuring secure search. Furthermore, the security analysis and proof have shown the effectiveness of the proposed protocol in achieving the intended security goals. Finally, the performance analysis indicates the significant feasibility and scalability of the proposed scheme.

BSKM-FC: Blockchain-based secured key management in a fog computing environment

With an increase in the number of devices in the edge layer connected to the fog server of the fog computing environment, it is found that vulnerable and unauthorized activities are also increasing relatively. Thus, there is a requirement for authorized access control in such an environment that is governed by secured and efficient key management between the communicating devices. Many researchers have presented conventional solutions for key management depending on a third party. The third party operated for a key generation or key distribution in a fog computing environment based on a centralized architecture which leads to the drawbacks like a single-point failure and inconsistency of key management. So, effective and secured key management between the edge devices which are willing to communicate is the major concern to be addressed in the current digital world to achieve access control. This paper proposes a BSKM-FC (Blockchain-based Secured Key Management in a Fog Computing Environment) which is a decentralized system in a fog computing environment without using a third party. The BSKM-FC makes use of a one-way hash chain for the generation of private and public key pairs and ECC (Elliptic Curve Cryptography) for secured sharing. Upon successful authentication, the session key generation at both edge devices is based on the key pair provided by the fog server and stored securely in the blockchain. The BSKM-FC system uses private blockchain technology in the fog layer to provide secured storage and management. The work is implemented in the Truffle Blockchain and found that BSKM-FC performs better in terms of overall block preparation time. The security analysis of the proposed scheme is carried out based on the ROR model and also verified using AVISPA for some known attacks. Informal security analysis of the proposed work is performed by considering some of the known attacks where we observe that the proposed scheme overcomes such attacks. Performance overhead analysis is demonstrated using MIRACL considering computation cost, communication cost, and storage cost. The results show that the proposed scheme meets security requirements and performs effectively. The computation overhead, communication overhead, storage overhead, and block preparation time of the proposed scheme were improved by 7% to 14%, 9% to 18%, 7% to 17%, and 14% to 28%, respectively, as compared to existing schemes.

A Secure and Privacy-Preserving Medical Data Sharing via Consortium Blockchain

Medical data sharing is of great significance in promoting smart medicine. However, the heterogeneity of information systems used by various medical institutions makes sharing difficult. In addition, since medical data involves a great deal of sensitive information, sharing it could easily lead to the leakage of personal privacy. Blockchain, gained popularity as a distributed ledger technology, has great potential to connect heterogeneous systems and provides authenticity and integrity guarantees for medical data sharing. Focusing on the issues of medical data sharing and privacy protection, we propose a medical data sharing scheme based on consortium blockchain. To achieve access control, attribute-based access control technique is implemented, where patients preset attribute-specific access policies for their medical records, and record requesters are described by a set of attributes. For patients, we devise a hybrid storage mode to write access policies of medical records on the consortium blockchain network and store encrypted medical records off-chain. Leveraging blockchain and smart contracts, access privilege control and access history tracking can be realized. To enhance the key management, a tree of medical records is constructed for each patient, and by simply keeping the medical record trees, patients can recover their encryption keys at any time. Furthermore, we carry out an extensive analysis to show the high security and efficiency of our proposed scheme. Finally, we build a Quorum consortium blockchain on the Tencent Cloud and deploy smart contracts on the chain to simulate transactions in our scheme. The experiment results indicate the proposed scheme achieves good feasibility.

Practical Multiauthority Attribute-Based Access Control for Edge-Cloud-Aided Internet of Things

With the assistance of edge computing which reduces the heavy burden of the cloud center server by using the network edge servers, the Internet of Things (IoTs) architectures enable low latency for real-time devices and applications. However, there still exist security challenges on data access control for the IoT. Multiauthority attribute-based encryption (MA-ABE) is a promising technique to achieve access control over encrypted data in cross-domain applications. Based on the characteristics and technical requirements of the IoT, we propose an efficient fine-grained revocable large universe multiauthority access control scheme. In the proposed scheme, the most expensive encryption operations have been executed in the user’s initialization phase by adding a reusable ciphertext pool besides splitting the encryption algorithm to online encryption and offline encryption. Massive decryption operations are outsourced to the near-edge servers for reducing the computation overhead of decryption. An efficient revocation mechanism is designed to change users’ access privileges dynamically. Moreover, the scheme supports ciphertext verification. Only valid ciphertext can be stored and transmitted, which saves system resources. With the help of the chameleon hash function, the proposed scheme is proven CCA2-secure under the q-DPBDHE2 assumption. The performance analysis results indicate that the proposed scheme is efficient and suitable in edge computing for the IoT.

An efficient attribute-based encryption scheme based on SM9 encryption algorithm for dispatching and control cloud

Dispatching and Control Cloud (DCC) is a cloud platform constructed by State Grid Corporation with the technology of cloud computing. DCC has improved the overall operation and monitoring capabilities, the smart level and many other advantages of power grid. However, the development of DCC has been hampered by security and privacy issues. Secure unified identity authentication, access control and authorisation management are significant topics in DCC. To find out a solution for the topics above, we have employed some encryption schemes using the attribute-based encryption(ABE), as ABE can preserve users' privacy and achieve access control with fine grain over the encrypted information. SM9 is a kind of Chinese official standard in the field of cryptography, which contains the SM9 encryption algorithm (SM9-IBE). In this paper, an ABE scheme based on SM9-IBE is proposed, making SM9 support fine-grained access control which would be better applied in DCC. Our proposed scheme (SM9-ABE) has been proven to be of great security in the selective CPA model under DBDH assumption. Furthermore, we implement SM9-ABE and evaluate its practical performance. The implementation indicates our scheme performs well in the matter of security and functionality, at an additional time cost which is acceptable.

ESAC: An Efficient and Secure Access Control Scheme in Vehicular Named Data Networking

In Vehicular Ad Hoc Networks (VANETs), the mobility of vehicles and urban obstacles may make the traditional IP-based content delivery mechanisms; work sluggishly. To address this problem, we adopt the Vehicular Named Data Networking (V-NDN) architecture to enable efficient content delivery. However, secure access control and incentive design are rarely taken into account in existing solutions. In this paper, we propose an efficient and secure access control (ESAC) scheme for content delivery in V-NDN. Specifically, we construct the proxy re-encryption method to achieve access control and data confidentiality, while using pseudonyms and the identity-based signature to ensure anonymous authentication and content integrity. Furthermore, the revocation of illegal vehicles and updating operations are performed by the constructed proxy re-encryption method, which significantly reduces communication overhead. Finally, an incentive scheme is designed to improve the utility of NDN in VANETs. The security analysis shows that ESAC can meet the security requirements of the content delivery in VANETs while significantly lowering the overhead.

Fine-grained assured data deletion scheme based on attribute association

ABSTRACT With the rapid development of cloud computing technology, an increasing number of enterprises and users store their data in the cloud to achieve convenient storage and data sharing. However, once data is stored in a third-party cloud storage service provider, the privacy and integrity of the data can be compromised. This paper proposes a fine-grained assured data deletion scheme based on attribute association (ADAA), which aims to protect security and achieve assured deletion of outsourced data. The scheme uses standard encryption technology to ensure the privacy and integrity of the data and implements secure deletion based on attribute revocation. At the same time, it incorporates access policy graphs and policy combinations to achieve fine-grained access control and data sharing. In addition, it associates attributes to achieve access control by using a homomorphic hash function, and it establishes a deletion confirmation feedback mechanism to provide a reliable guarantee. By experimenting and comparing with related schemes, ADAA is proved to be safe and efficient, and it provides a practical method for the assured deletion of cloud storage data.

Access Control Mechanism for IoT using Blockchain

In our everyday lives, IoT plays a vital role. It is crucial to sense, capture and share data from connected devices via internet. Existing system proposed centralized client/server approach where central authority keeps a record of all the activities. Failure of such centralized authority makes the whole system fail. A decentralized / distributed approach is therefore needed if a single failure point is avoided. In this paper contains information to integrating Blockchain in IoT ecosystem in order to achieve access control. We proposed smart contract based architecture which consist multiple permission contract, one decision contract and one entry contract, to achieve distributed and secure IoT device access control. To conclude system framework, we provide a case study in an IoT system with two laptops and one Raspberry Pi single-board computers, where the PCs, DC and EC are implemented based on the Ethereum smart contract platform to achieve the access control.

Searchable Encryption with Access Control on Keywords in Multi-User Setting

Searchable encryption technology makes it convenient to search encrypted data with keywords for people. A data owner shared his data with other users on the cloud server. For security, it is necessary for him to build a fine-grained and flexible access control mechanism. The main idea of this paper is to let the owner classify his data and then authorizes others according to categories. The cloud server maintains a permission matrix, which will be used to verify whether a trapdoor is valid or not. In this way we can achieve access control and narrow the search range at the same time. We prove that our scheme can achieve index and trapdoor indistinguishability under chosen keywords attack security in the random oracles.

Secured Fine-Grained Selective Access to Outsourced Cloud Data in IoT Environments

With the vast increase in data transmission due to a large number of information collected by devices, data management, and security has been a challenge for organizations. Many data owners (DOs) outsource their data to cloud repositories due to several economic advantages cloud service providers present. However, DOs, after their data are outsourced, do not have complete control of the data, and therefore, external systems are incorporated to manage the data. Several kinds of research refer to the use of encryption techniques to prevent unauthorized access to data but prove to be deficient in providing suitable solutions to the problem. In this article, we propose a secure fine-grain access control system for outsourced data, which supports read and write operations to the data. We make use of an attribute-based encryption (ABE) scheme, which is regarded as a suitable scheme to achieve access control for security and privacy (confidentiality) of outsourced data. This article considers different categories of data users, and make provisions for distinct access roles and permissible actions on the outsourced data with dynamic and efficient policy updates to the corresponding ciphertext in cloud repositories. We adopt blockchain technologies to enhance traceability and visibility to enable control over outsourced data by a DO. The security analysis presented demonstrates that the security properties of the system are not compromised. Results based on extensive experiments illustrate the efficiency and scalability of our system.

Re‐definable access control over outsourced data in cloud storage systems

There is an increasing concern for data privacy when people outsource their data to remote cloud storage servers. To secure outsourced data, cloud users are suggested to employ cryptographic encryption to specify access policies such that only users meeting the policies can access the data. After the application of an encryption, however, users are difficult to modify their access policies since the policies were already formulated by the encryption. To address such problem, the authors propose a new approach referred to as re-definable access control (RDAC). The RDAC utilises identity-based encryption (IBE) and attribute-based encryption (ABE) to secure outsourced data and allows users to choose either to achieve access control according to their capability and requirements. Moreover, the RDAC allows users to change simple access policies into fine-grained access policies by converting IBE encrypted files into ABE encrypted ones, without leaking the underlying data. Surprisingly, the access policy conversion does not require the users to perform any costly computation, nor the storage servers to be disturbed. The authors prove the security of RDAC under a rigorous definition, and empirically show that the introduction of the conversion incurs almost no costs to the outsourcing and access procedures.

FGAC-NDN: Fine-Grained Access Control for Named Data Networks

Named data network (NDN) is one of the most promising information-centric networking architectures, where the core concept is to focus on the named data (or contents) themselves. Users in NDN can easily send a request packet to get the desired content regardless of its address. The routers in NDN have cache functionality to make the users instantly retrieve the desired file. Thus, the user can immediately get the desired file from the nearby nodes instead of the remote host. Nevertheless, NDN is a novel proposal and there are still some open issues to be resolved. In view of previous research, it is a challenge to achieve access control on a specific user and support potential receivers simultaneously. In order to solve it, we present a fine-grained access control mechanism tailored for NDN, supporting data confidentiality, potential receivers, and mobility. Compared to previous works, this is the first to support fine-grained access control and potential receivers. Furthermore, the proposed scheme achieves provable security under the DBDH assumption.

An attribute-based encryption scheme with multiple authorities on hierarchical personal health record in cloud

In the personal health record (PHR) system, the patient’s health records are usually outsourced to a large database, such as the cloud service provider. In order to guarantee the confidentiality of this data , achieve access control with flexibility and fine-grained property, it usually employs ciphertext-policy attribute-based encryption (CP-ABE) scheme in cloud computing. However, the outsourced data have the characteristic of multi-level hierarchy, and the general CP-ABE is inappropriate for being applied in distributed cloud service systems directly to provide the security of hierarchy structure of outsourced data. In this paper, to overcome this challenge, a PHR hierarch CP-ABE scheme with multiple authorities is presented. This protocol integrated some different access structures into a single one, which the hierarchical PHR is encrypted based on. There are multiple authorities to generate and distribute user’s private key all together. According to this mode, it enables to avoid the problem of key escrow and conform to the distributed characteristic of cloud service systems. However, it has no trusted single or central one in these authorities. Moreover, this proposed scheme resists $$(N-1)$$ corrupted authorities out of N authorities in the collusion attack. Based on the intractability of the standard decisional bilinear Diffie–Hellman problem, the security of this protocol is proven to be semantic secure. Finally, by comparison analysis, this protocol exhibits a better performance.

Achieving Data Confidentiality And Access Control Through Ciphertext Property Based on Symmetric Encryption with Undeniable Assignment

In the cloud, for achieving access control and keeping data confidential, the data owners could adopt attribute-based encryption to encrypt the stored data. Users with limited computing power are however more likely to delegate the mask of the decryption task to the cloud servers to reduce the computing cost. As a result, attribute-based encryption with delegation emerges. Still, there are caveats and questions remaining in the previous relevant works. For instance, during the delegation, the cloud servers could tamper or replace the delegated ciphertext and respond a forged computing result with malicious intent. They may also cheat the eligible users by responding them that they are ineligible for the purpose of cost saving. Furthermore, during the encryption, the access policies may not be flexible enough as well. Since policy for general circuits enables to achieve the strongest form of access control, a construction for realizing circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation has been considered in our work. In such a system, combined with verifiable computation and encrypt-then-mac mechanism, the data confidentiality, the fine-grained access control and the correctness of the delegated computing results are well guaranteed at the same time. Besides, our scheme achieves security against chosen-plaintext attacks under the k-multilinear Decisional Diffie-Hellman assumption. Moreover, an extensive simulation campaign confirms the feasibility and efficiency of the proposed solution. Index Terms—Ciphertext-policy attribute-based encryption, Circuits, Verifiable delegation, Multilinear map, Hybrid encryption. F

Về một phương pháp điều khiển truy nhập trong cơ sở dữ liệu

A new access control sheme for information protection system is proposed. It assigns every legal user just on interger key in such a way that employing a simple formula to the key of the user subject and the ID number of the resource object yields the corresponding access right in the protection system. In the article also has given a concept of access control and grouped key. The described method is applied to relational database for implementing a single key that achieves access control in it.

Circuit Ciphertext-Policy Attribute-Based Hybrid Encryption with Verifiable Delegation in Cloud Computing

In the cloud, for achieving access control and keeping data confidential, the data owners could adopt attribute-based encryption to encrypt the stored data. Users with limited computing power are however more likely to delegate the mask of the decryption task to the cloud servers to reduce the computing cost. As a result, attribute-based encryption with delegation emerges. Still, there are caveats and questions remaining in the previous relevant works. For instance, during the delegation, the cloud servers could tamper or replace the delegated ciphertext and respond a forged computing result with malicious intent. They may also cheat the eligible users by responding them that they are ineligible for the purpose of cost saving. Furthermore, during the encryption, the access policies may not be flexible enough as well. Since policy for general circuits enables to achieve the strongest form of access control, a construction for realizing circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation has been considered in our work. In such a system, combined with verifiable computation and encrypt-then-mac mechanism, the data confidentiality, the fine-grained access control and the correctness of the delegated computing results are well guaranteed at the same time. Besides, our scheme achieves security against chosen-plaintext attacks under the $k$ -multilinear Decisional Diffie-Hellman assumption. Moreover, an extensive simulation campaign confirms the feasibility and efficiency of the proposed solution.

Android-Based Smart Access Control System for Open Laboratory

In order to protectproperty of laboratory, restricted access to laboratory, this paper focuses onthe development of smart access control system for open laboratory by using theAndroid system and embedded technology. This system uses three key parameters ofthe Android phone's Wi-Fi signal strength, GPS positioning information andidentification number to achieve access control certification, personnelorientation and personnel information collection. Then the laboratory personneldata would be updated and storage in database in real-time via PC LabVIEWapplication. The access control system is stable and have well real-time. Thissystem will be able to meet the university laboratory management requirementsand greatly improving the management level of the laboratory.

Mediated IBC-Based Management System of Identity and Access in Cloud Computing

Cloud computing is a new technology that provide to consumers dramatically scalable andvirtualized resources, bandwidth, software and hardware on demand. However, cloud computingintroduces serious security problems. One of these major security concerns is the management ofaccess and identities of different entities involved in such environment. This paper proposes a newsystem for Identity and Access Management (IAM) based on combining the techniques of Identity-BasedCryptography (IBC) and security mediated cryptography with the Trusted Cloud (TC) to facilitate thesecure management and access control for cloud computing. IBC is an interesting choice for IAM as itsignificantly reduces the key management complexity. On the other hand, mediated cryptographyenables system administrators to achieve access control in a fine grained manner, while a TC canprovide a Single Sign On (SSO) ability to users. The paper also presents results of the developedprototype implementation of the proposed IAM system.

Oblivious transfer with access control and identity-based encryption with anonymous key issuing

In ACM’CCS 2009, Camenisch, et al. proposed the Oblivious Transfer with Access Control (AC-OT) in which each item is associated with an attribute set and can only be available, on request, to the users who have all the attributes in the associated set. Namely, AC-OT achieves access control policy for conjunction of attributes. Essentially, the functionality of AC-OT is equivalent to the simplified version that we call AC-OT-SV: for each item, one attribute is associated with it, and it is requested that only the users who possess the associated attribute can obtain the item by queries. On one hand, AC-OT-SV is a special case of AC-OT when there is just one associated attribute with each item. On the other hand, any AC-OT can be realized by an AC-OT-SV. In this paper, we first present a concrete AC-OT-SV protocol which is proved to be secure in the model defined by Camenisch, et al. Then from the protocol, interestingly, a concrete Identity-Based Encryption (IBE) with Anonymous Key Issuing (AKI) is given which is just a direct application to AC-OT-SV. By comparison, we show that the AKI protocol we present is more efficient in communications than that proposed by Chow.

Optimizing Rekeying Cost for Contributory Group Key Agreement Schemes

Although a contributory group key agreement is a promising solution to achieve access control in collaborative and dynamic group applications, the existing schemes have not achieved the performance lower bound in terms of time, communication, and computation costs. In this paper, we propose a contributory group key agreement that achieves the performance lower bound by utilizing a novel logical key tree structure, called PFMH, and the concept of phantom user position. In particular, the proposed scheme only needs O(1) rounds of the two-party Diffie-Hellman (DH) upon any single-user join event and O(log n) rounds of the two-party DH upon any single-user leave event. Both the theoretical bound analysis and simulation show that the proposed scheme achieves a lower rekeying cost than the existing tree-based contributory group key agreement schemes.