Fine-grained Data Access Control Research Articles

HA-Med: A Blockchain-Based Solution for Sharing Medical Data with Hidden Policies and Attributes

Existing healthcare data-sharing solutions often combine attribute-based encryption techniques with blockchain technology to achieve fine-grained access control. However, the transparency of blockchain technology may introduce potential risks of exposing access structures and user attributes. To address these concerns, this paper proposes a novel healthcare data-sharing scheme called HA-Med. By leveraging blockchain technology, HA-Med ensures the concealment of access policies and attributes, providing a secure solution for fine-grained access control of medical data. Furthermore, the scheme supports attribute revocation and forward secrecy to enhance user privacy. The security of HA-Med is rigorously verified through theoretical analysis, and its feasibility is demonstrated through experiments conducted using the Java-based JPBC library.

A License Management and Fine-Grained Verifiable Data Access Control System for Online Catering

A License Management and Fine-Grained Verifiable Data Access Control System for Online Catering

HRA-secure attribute-based threshold proxy re-encryption from lattices

Proxy re-encryption (PRE) allows a semi-trust proxy with a re-encryption key to transform a ciphertext encrypted under one key to an encryption of the same message under another key. Attribute-based proxy re-encryption (AB-PRE) is a generalization of PRE which enables fine-grained access control and delegation of encrypted data. However, traditional AB-PRE suffers from the single point of failure as it relies on a single proxy to perform ciphertext transformations. To resolve this problem, this paper introduces a new primitive called attribute-based threshold proxy re-encryption (AB-TPRE), that utilizes multiple (N) proxies for the transformations. In AB-TPRE, the re-encryption key is split into N shares, with each proxy receiving one share to generate a transformed ciphertext share. Only when a threshold (t) number of transformed ciphertext shares are combined can the transformed ciphertext be correctly generated. Furthermore, to address the security risk of shares leakage, we introduce a share updatable property that allows the re-encryption key shares to be refreshed. We propose a construction of AB-TPRE from lattices, and prove its security against the honest re-encryption attacks under the learning with errors (LWE) assumption, which is assumed to be quantum secure since up to now there is no known quantum algorithm to solve LWE in polynomial time.

Hierarchical and Multi-Group Data Sharing for Cloud-Assisted Industrial Internet of Things

With the development of Industrial Internet of Things (IIoT) and 5G, massive data are easily collected and transmitted in cloud. Therefore, it is critical to guarantee the security of data sharing. In IIoT applications, the users of a group are in hierarchical structure and they intend to access data by external groups, which requires fine-grained access control, data authenticity and data retrieval. However, existing approaches rarely provide such solutions to satisfy these requirements simultaneously. In this paper, we propose an efficient hierarchical and multi-group data sharing framework (HMGDSF) in cloud-assisted IIoT. Apart from fine-grained data access control for hierarchical users with key leakage resilience, HMGDSF achieves user anonymity with traceability and keyword-based data retrieval. Moreover, the approach supports data authenticity and integrity verification for multi-group data sharing by integrating group signature mechanism. We provide proof for the security of framework and demonstrate its efficiency and practicability by extensive evaluations.

Fine-grained access control policy in blockchain-enabled edge computing

In the process of data sharing and interaction between untrusted intelligence edge devices, there are risks of misuse and tampering with the data. Hence, how to ensure data security and prevent unauthorized data access is the key problem to be solved in the cloud edge collaborative architecture. However, due to the heterogeneity of edge devices and the diversity of data sources, traditional access control methods cannot meet the requirements of the large-scale, distributed, dynamic and flexible expansion of edge intelligence applications. Therefore, this paper studies the fine-grained data access control method on the basis of smart contracts, and implements the attribute-based access control (ABAC) model through smart contracts. To improve the query efficiency of attributes and policies in the process of access request decision, an attribute management scheme is designed on the basis of the Bloom filter to achieve fast retrieval of attributes and policies. The decentralized fine-grained access control method is tested under the performance indicators such as retrieval delay, deployment delay, rule reduction rate and decision response time.

Enabling fine-grained access control in information sharing with structured data formats

The ongoing need for societal and industrial digital transformation requires rapidly expanding networks of interconnected organizations and dictates an increasing role for cybersecurity in information sharing. A typical setup consists of multiple stakeholders working closely together and needing efficient channels for sharing relevant information in a secure manner. This is especially prevalent with complex modern supply chains and critical information infrastructures. They often comprise of numerous co-operating organizations, people and in some cases smart devices having different levels of access to a variety of information. Granular access control plays a vital role when distributing information efficiently between stakeholders without revealing sensitive pieces of data to unwanted third parties. This article presents a novel framework for enabling fine-grained access control to share information efficiently and securely in these situations. Our motivation and use case for the framework originates from the secure sharing of cyber incident information in the maritime logistics industry. We present a novel solution to this problem by developing an information sharing platform and a meta-model, demonstrated using an implementation with structured JSON data formats, while supporting previously researched attribute-based encryption schemes. The proposed framework provides a broader context to the fine-grained data access control challenge in addition to the technical implementation.

A computer-aided feature-based encryption model with concealed access structure for medical Internet of Things

One of the Internet of Things (IoT) security issues is the secure sharing and granular management of data access. This study recommends a feature-based encryption scheme with a hidden access structure for medical IoT data security. While establishing fine-grained access control of ciphertext data, the system can guarantee clinical client data privacy. First, it is recommended to convert identity-based encryption (IBE) into a feature-based encryption model (FBEM) using a universal conversion technique that supports multi-valued attributes and gates. IBE characteristics could be inherited by the converted FBEM. The conversion method is then used to change the receiver anonymous IBE scheme into the FBEM scheme with concealed access structure. The FBEM model is then used to construct the IoT scenario for the smart medical application. Theoretical analysis and experimental findings reveal that the suggested system provides advantages over prominent systems regarding computing efficiency, storage load, and security when the access structure is disguised.

Designing attribute-based verifiable data storage and retrieval scheme in cloud computing environment

The cloud computing technology is a novel storage and computing paradigm that enables individuals and organizations to store data, share data with intended group of users and retrieve data when require. It greatly improves peoples’ data storage and sharing, and data retrieval capabilities by providing flexible, less expensive and quality services. For data security and privacy concerns, secure and authenticated data storage, fine-grained access control of encrypted data, secure search for the outsourced data and search results verification are of critical importance. However, achieving the aforementioned functionalities simultaneously is quite challenging. In this paper, for the first time, we propose a secure lightweight Attribute-Based verifiable Data Storage and data Retrieval Scheme (ABDSRS) for cloud environments that attains the following features: (i) lightweight design, (ii) provably secure, (iii) fine-grained data access control, (iv) data owner (DO) anonymity, (v) data and DO authenticity, (vi) keyword policy search over encrypted data, (vii) keyword privacy, and (viii) search results verification. ABDSRS employs attribute-based online-offline mechanism in which only authorized DOs can anonymously upload data to the cloud. And, a data user (DU) can search over encrypted data using keyword policy. ABDSRS enables a DU to verify the correctness of the search results (i.e., the correctness of the operations performed by the cloud) without interacting with any authority. ABDSRS is lightweight in the sense that the heavy computations are offloaded either to the cloud or to offline phase, while only lightweight operations are executed at the DU device. We formalize more general security definitions of ABDSRS by considering various possible adversarial capabilities and present rigorous security analysis. We also conduct experiments to evaluate ABDSRS’s performance.

DAC4SH: A Novel Data Access Control Scheme for Smart Home Using Smart Contracts

Smart home (s-home) is an important Internet of Things (IoT)-based application in improving the living environment. Many cryptography-based protection schemes have been proposed to guarantee data confidentiality in s-home. Access control is a promising method to protect generated data from unauthorized access, and it is also urgently needed in s-home. Current centralized access control schemes are not excellent in security and performance. For instance, it still faces the problems of a single point of failure, low reliability, and poor scalability. This study proposes a decentralized and reliable access control scheme for s-home using smart contracts, named DAC4SH. To be specific, this proposed framework consists of an access policy management contract (APMC), a data attribute management contract (DAMC), a subject attribute management contract (SAMC), and a data access control contract (DACC) for realizing the fine-grained data access control. Meanwhile, we record all the access activities into the immutable distributed ledgers for auditing. To verify the feasibility of our DAC4SH, we construct an Ethereum-based prototype system and evaluate the performance of DAC4SH in terms of computational and communication costs. According to the experimental results, we can conclude that the performance of DAC4SH is appropriate.

Lightweight Fine-Grained Multiowner Search over Encrypted Data in Cloud-Edge Computing

Edge computing, as an extension of cloud computing, outsources encrypted sensitive data to edge nodes to decrease latency and improve broadband efficiency. Although attribute-based keyword search (ABKS) can ensure the security of outsourced data and promote fine-grained access control of data, deficiencies still exist under the general ABKS scheme in the cloud, as follows: shared files owned by a single data owner, inflexible access control, key escrow problem, and high computational overhead. We propose an attribute-based multidata owner searchable encryption scheme in cloud-edge computing with effective policy update to address these problems. The two-level access control is used to realize the common management and fine-grained sharing of data by the multidata owner. All user keys are jointly generated by the central authority and attribute authority, and a key escrow is no longer required. Moreover, partial encryption and decryption calculations are shifted from resource-constrained data owners and users to edge nodes. Furthermore, our scheme not only supports policy update but also realizes the dynamic updating of the index. The security proof and performance analysis show that the scheme has strong security and practicality in the edge computing environment.

Security on mobile cloud computing using cipher text policy and attribute based encryption scheme

Mobile Cloud Computing (MCC) is a new paradigm that has been emerged by the advances in the Cloud Computing for Mobile devices to access Cloud services. The data security challenges against the data thefting, deleting, corrupting, or exploiting are existed as the data storage and access to/from the cloud has been most popular. In order to handle these data security issues in the cloud and to provide protection for the data, some innovative encryption methods have been developed. One of such encryption methods is Attribute-Based Encryption (ABE) that has a more control on the data in cloud as which is accessed by whom. Since from the recent years, many of academic researchers have paying a widespread of attention on using advanced cryptographic techniques to securely store, process, also share data over the untrusted cloud environment. One of the promising cryptographic techniques which can solve the open challenge of regulating the fine-grained access control of important data over the distributed cloud is the Cipher text Policy – Attribute Based Encryption (CP-ABE). Therefore, a survey of work is presented in this paper on different CP-ABE methods for the secure mobile cloud computing architecture. This paper presents some works that are focused on secure data storing, accessing and sharing using CP-ABE methods over the untrusted cloud environments. All the works that are studied are analyzed and compared with each other in the results to find the best out of it.

Secure Collaborative Platform for Health Care Research in an Open Environment: Perspective on Accountability in Access Control.

BackgroundWith the recent use of IT in health care, a variety of eHealth data are increasingly being collected and stored by national health agencies. As these eHealth data can advance the modern health care system and make it smarter, many researchers want to use these data in their studies. However, using eHealth data brings about privacy and security concerns. The analytical environment that supports health care research must also consider many requirements. For these reasons, countries generally provide research platforms for health care, but some data providers (eg, patients) are still concerned about the security and privacy of their eHealth data. Thus, a more secure platform for health care research that guarantees the utility of eHealth data while focusing on its security and privacy is needed.ObjectiveThis study aims to implement a research platform for health care called the health care big data platform (HBDP), which is more secure than previous health care research platforms. The HBDP uses attribute-based encryption to achieve fine-grained access control and encryption of stored eHealth data in an open environment. Moreover, in the HBDP, platform administrators can perform the appropriate follow-up (eg, block illegal users) and monitoring through a private blockchain. In other words, the HBDP supports accountability in access control.MethodsWe first identified potential security threats in the health care domain. We then defined the security requirements to minimize the identified threats. In particular, the requirements were defined based on the security solutions used in existing health care research platforms. We then proposed the HBDP, which meets defined security requirements (ie, access control, encryption of stored eHealth data, and accountability). Finally, we implemented the HBDP to prove its feasibility.ResultsThis study carried out case studies for illegal user detection via the implemented HBDP based on specific scenarios related to the threats. As a result, the platform detected illegal users appropriately via the security agent. Furthermore, in the empirical evaluation of massive data encryption (eg, 100,000 rows with 3 sensitive columns within 46 columns) for column-level encryption, full encryption after column-level encryption, and full decryption including column-level decryption, our approach achieved approximately 3 minutes, 1 minute, and 9 minutes, respectively. In the blockchain, average latencies and throughputs in 1Org with 2Peers reached approximately 18 seconds and 49 transactions per second (TPS) in read mode and approximately 4 seconds and 120 TPS in write mode in 300 TPS.ConclusionsThe HBDP enables fine-grained access control and secure storage of eHealth data via attribute-based encryption cryptography. It also provides nonrepudiation and accountability through the blockchain. Therefore, we consider that our proposal provides a sufficiently secure environment for the use of eHealth data in health care research.

MB-BC: Drug Traceability System Based on Multibranched Blockchain Structure

The establishment of a complete drug traceability system is essentially important for public drug security and the business of pharmaceutical companies which is aimed at tracking where the drug has gone along the drug supply chain. Traditional centralized server-client technical solutions have been far from satisfaction for their bad performances in data authenticity, privacy, system resilience, and flexibility. In this paper, we propose a drug traceability scheme called MB-BC, which realizes the security and traceability of drug data through a novel multibranched blockchain scheme. Different from the characteristics of transparency of traditional blockchains, MB-BC realizes fine-grained access control of data between all levels in the system, which improves the security and privacy of data. MB-BC has further improved the existing consensus mechanism, strengthened the supervision of pharmaceutical companies, and further improved the safety and robustness of the system. Furthermore, the system combines data access strategies with smart contracts; each branch chain can also issue its smart contract to provide personalized services. Finally, security and performance evaluations show that the solution is advantageous in terms of data security, system robustness, supervisibility, and traceability, as well as efficient in terms of blockchain throughput, data query time, and blockchain consensus consumptions, compared with other typical approaches.

Novel Security Models for IoT–Fog–Cloud Architectures in a Real-World Environment

With the rise of the Internet of Things (IoT), there is a demand for computation at network edges because of the limited processing capacity of IoT devices. Fog computing is a middle layer that has appeared to address the latency issues between the Internet of things (IoT) and the cloud. Fog computing is becoming more important as companies face increasing challenges in collecting and sending data from IoT devices to the cloud. However, this has led to new security and privacy issues as a result of the large number of sensors in IoT environments as well as the massive amount of data that must be analyzed in real time. To overcome the security challenges between the IoT layer and fog layer and, thus, meet the security requirements, this paper proposes a fine-grained data access control model based on the attribute-based encryption of the IoT–Fog–Cloud architecture to limit the access to sensor data and meet the authorization requirements. In addition, this paper proposes a blockchain-based certificate model for the IoT–Fog–Cloud architecture to authenticate IoT devices to fog devices and meet the authentication requirements. We evaluated the performance of the two proposed security models to determine their efficiency in real-life experiments of the IoT–Fog–Cloud architecture. The results demonstrate that the performance of the IoT–Fog–Cloud architecture with and without the blockchain-based certificate model was the same when using one, two, or three IoT devices. However, the performance of the IoT–Fog–Cloud architecture without the access control model was slightly better than that of the architecture with the model when using one, two, or three IoT devices.

Toward Vehicular Digital Forensics From Decentralized Trust: An Accountable, Privacy-Preserving, and Secure Realization

With the increasing number of traffic accidents and terrorist attacks by modern vehicles, vehicular digital forensics (VDF) has gained significant attention in identifying evidence from the related digital devices. Ensuring the law enforcement agency to accurately integrate various kinds of data is a crucial point to determine the facts. However, malicious attackers or semi-honest participants may undermine the digital forensic procedures. Enabling accountability and privacy preservation while providing secure data access control in VDF is a nontrivial challenge. To mitigate this issue, in this article, we propose a blockchain-based decentralized solution for VDF named BB-VDF, in which the accountable protocols and privacy-preserving algorithm are constructed. The desirable security properties and fine-grained data access control are achieved based on smart contract and the customized cryptographic construction. Specifically, we design a distributed key-policy attribute-based encryption scheme with partially hidden access structures, named DKP-ABE-H, to realize the secure fine-grained forensics data access control. Further, a novel smart contract is designed to model the forensics procedures as a finite state machine, which guarantees accountability that each participant performs auditable cooperation under tamper resistant and traceable transactions. Systematic security analysis and extensive experimental results show the feasibility and practicability of our proposed BB-VDF scheme.

Efficient Multibit Function Encryption for Data Security in Internet of Things

The development of the Internet of Things (IoT) has been facing severe security threats, and the security and fine-grained access control of data in the IoT is one of the security problems that urgently need to deal with. Attribute-based encryption (ABE) schemes over lattice can not only achieve fine-grained access control but also resist quantum attacks. However, most schemes are single-bit encryption, which is inefficient. In this study, a multibit inner product predicate encryption (PE) scheme over lattice is proposed, which effectively expands the plaintext space. The scheme can realize multibit attribute-based encryption with the hidden access structure for data security in the IoT and support And-gate operation in the access structure with multiattribute. The fine-grained access control of ciphertext data can be realized under the condition of ensuring data privacy. The security of the scheme is based on LWE problem, and it can resist quantum attacks, that is, CPA security under the standard model.

Encrypted Speech Retrieval Scheme Based on Multiuser Searchable Encryption in Cloud Storage

In order to solve the problem of multiuser security sharing and privacy protection of the speech data in cloud storage and realize efficient encrypted speech retrieval, an encrypted speech retrieval scheme based on multiuser searchable encryption was proposed. Firstly, the ciphertext-policy attribute-based encryption (CP-ABE) and searchable encryption (SE) are combined to support a multiuser searchable speech encryption scheme, which achieves the encryption and fine-grained access control of the speech data. Secondly, the Mel frequency cepstral coefficient (MFCC) feature of the original speech that is used as the input of the long- and short-term memory network (LSTM) is extracted to perform the deep semantic feature extraction as the speech keywords. Finally, the speech keywords are encrypted to generate a secure index, bound together with the encrypted speech, and then stored in the cloud. During the user retrieving, the keywords of query speech are extracted by utilizing the trained LSTM to generate the search trapdoor of the user and then uploaded to the cloud server, and the Euclidean distance is used for matching the security index with the search trapdoor. In addition, a proxy server is introduced to execute the partial ciphertext decryption operations to reduce computation overhead and storage space. The theoretical analysis and experimental results show that the proposed scheme has higher security and retrieval accuracy and can realize the secure storage of the massive speech data and multiuser data sharing.

A Metaheuristic Approach for Encrypting Blockchain Data Attributes Using Ciphertext Policy Technique

Unlike public chains, the Alliance Blockchain Hyperledger Fabric has a member management service mechanism that may provide data isolation security at the channel level. However, because this data isolation security technique synchronizes plaintext data inside the channel, data leakage is still a possibility. Furthermore, in some fine-grained privacy protection circumstances, channel-based data access restriction is ineffective. In order to solve the data privacy security problems in the above-mentioned consortium chain superledger, a blockchain data attribute encryption scheme based on ciphertext policy is proposed. Combining the original Fabric Certificate Authority module in the Hyperledger, the proposed scheme can realize the user-level fine-grained security access to control blockchain data while also realizing the secure distribution of user attribute keys in the blockchain data attribute encryption scheme based on the ciphertext policy scheme. The security analysis of the scheme shows that the scheme achieves the security goals of attribute-based encryption user attribute private key secure distribution and data privacy protection. The scope of this research is that this study confirms that the solution’s architecture achieves fine-grained access control of private data on the Hyperledger Blockchain network and also the security objectives of secure transmission of user characteristic secret keys and data privacy protection. The performance analysis part also shows that the proposed scheme has good usability.

Enabling efficient traceable and revocable time-based data sharing in smart city

With the assistance of emerging techniques, such as cloud computing, fog computing and Internet of Things (IoT), smart city is developing rapidly into a novel and well-accepted service pattern these days. The trend also facilitates numerous relevant applications, e.g., smart health care, smart office, smart campus, etc., and drives the urgent demand for data sharing. However, this brings many concerns on data security as there is more private and sensitive information contained in the data of smart city applications. It may incur disastrous consequences if the shared data are illegally accessed, which necessitates an efficient data access control scheme for data sharing in smart city applications with resource-poor user terminals. To this end, we proposes an efficient traceable and revocable time-based CP-ABE (TR-TABE) scheme which can achieve time-based and fine-grained data access control over large attribute universe for data sharing in large-scale smart city applications. To trace and punish the malicious users that intentionally leak their keys to pursue illicit profits, we design an efficient user tracing and revocation mechanism with forward and backward security. For efficiency improvement, we integrate outsourced decryption and verify the correctness of its result. The proposed scheme is proved secure with formal security proof and is demonstrated to be practical for data sharing in smart city applications with extensive performance evaluation.

Fine-grained Access Control Method for Blockchain Data Sharing based on Cloud Platform Big Data

Blockchain technology has the advantages of decentralization, de-trust, and non-tampering, which breaks through the limitations of traditional centralized technology, so it has gradually become the key technology of power data security storage and privacy protection. In the existing smart grid framework, the grid operator is a centralized key distribution organization, which is responsible for sending all the secret credentials, so it is easy to have a single point of failure, resulting in a large number of personal information losses. To solve the problems of inflexible access control in smart grid data-sharing framework and considering the limitation of multi-party cooperation among grid operators and efficiency, an attribute-based access control scheme supporting privacy preservation in smart grid is constructed in this paper. A fine-grained access control scheme supporting privacy protection is designed and extended to the smart grid system, which enables the system to achieve fine-grained access control of power data. A decryption test algorithm is added before the decryption algorithm. Finally, through performance analysis and comparison with other schemes, it is verified that the performance of this system is 7% higher than the traditional method, and the storage cost is 9.5% lower, which reflects the superiority of the system. Full optimization of the access policy is achieved. It is proved that the scheme is more efficient to implement the coordination and cooperation of multiple authorized agencies in the system initialization.