Hierarchical Access Control Research Articles

An efficient hierarchical attribute-based encryption scheme with cross-domain data sharing

With the rapid advancement of data sharing technology, an increasing amount of data is being stored on cloud servers. To enable fine-grained access control over the data stored on cloud servers, the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) technology has been widely adopted. Recognizing that shared data and files often possess a hierarchical structure, hierarchical CP-ABE technology has been proposed recently. However, most existing schemes are restricted to single-domain data access, which limits their flexibility and universal applicability in practical applications. To address this limitation, an access control scheme based on hierarchical CP-ABE, named CDS-CP-ABE, is proposed to facilitate secure and efficient cross-domain data sharing. The scheme is capable of not only realizing fine-grained hierarchical access control within a single domain but also enabling cross-domain data sharing. Security analysis confirms that our scheme effectively resists chosen-plaintext attack. Furthermore, empirical results indicate that the time consumption associated with our scheme is lower compared to other existing schemes.

Extended chaotic map-based key management for hierarchical access control in e-medicine systems

Extended chaotic map-based key management for hierarchical access control in e-medicine systems

Hierarchical access control of supply chain data based on blockchain technology

Hierarchical access control of supply chain data based on blockchain technology

Access Control Strategy for the Internet of Vehicles Based on Blockchain and Edge Computing

Data stored in the Internet of Vehicles (IoV) face problems with ease of tampering, easy disclosure and single access control. Based on this problem, we propose an access control scheme for the IoV based on blockchain, trust values and weighted attribute-based encryption, called the Blockchain Trust and Weighted Attribute-Based Access Control Strategy (BTWACS). First, we utilize both local and global blockchains to jointly maintain the generation, verification and storage of blocks, achieving distributed data storage and ensuring that data cannot arbitrarily be tampered with. Local blockchain mainly uses Road Side Unit (RSU) technology to calculate trust values, while global blockchain is mainly responsible for data storage and access policy selection. Secondly, we design a blockchain-based trust evaluation scheme called Blockchain-Based Trust Evaluation (BBTE). In this evaluation scheme, the trust value of the vehicle node is based on four factors: initial trust, historical experience trust, recommendation trust and RSU observation trust. CRITIC is used to determine the optimal weights of four factors to obtain the trust value. Then, we use the Network Simulator version 3 (NS3) to verify the security and accuracy of BBTE, improving the recognition accuracy and detection rate of malicious vehicle nodes. Finally, by mining the association relationships between attribute permissions among various roles, we construct a hierarchical access control strategy based on weight and trust, and further optimize the access strategy through pruning techniques. The experiment results indicate that this scheme can effectively respond to gray hole attacks, defamation attacks and collusion attacks from other vehicle nodes. This method can effectively reduce the computing and transmission costs of vehicles and meet the access requirements of multiple entities and roles in the IoV.

A blockchain-based privacy-preserving auditable authentication scheme with hierarchical access control for mobile cloud computing

Blockchain-based authentication mode, a fundamental solution to prevent unauthorized access behavior, gradually becomes a focus in future distributed mobile cloud computing (MCC) services. However, due to the transparent and immutable characteristics of blockchain, users’ access behaviors are facing huge security and privacy threats. Storing the encrypted data on chain is an effective way to address these issues, but access permission confirmation and update in the form of ciphertext is the main bottleneck. To this end, this paper proposes a blockchain-based unified authentication and hierarchical access control scheme for the MCC environment, which provides both privacy protection and auditability. In the proposed scheme, users can access multiple MCC services with different access permissions using a single credential. To protect the privacy of both users and service providers, while still supporting auditability, the data on the public ledger is blinded using Pedersen commitments. Besides, the proposed scheme provides flexible dynamic updating in encrypted form. Theoretical analysis indicates that the proposed scheme can meet various security and privacy requirements in the MCC environment. Compared with related schemes, it has better communication efficiency. Therefore, the proposed scheme is more suitable for the actual MCC environment.

A Secure Data-Sharing Scheme for Privacy-Preserving Supporting Node–Edge–Cloud Collaborative Computation

The node–edge–cloud collaborative computation paradigm has introduced new security challenges to data sharing. Existing data-sharing schemes suffer from limitations such as low efficiency and inflexibility and are not easily integrated with the node–edge–cloud environment. Additionally, they do not provide hierarchical access control or dynamic changes to access policies for data privacy preservation, leading to a poor user experience and lower security. To address these issues, we propose a data-sharing scheme using attribute-based encryption (ABE) that supports node–edge–cloud collaborative computation (DS-ABE-CC). Our scheme incorporates access policies into ciphertext, achieving fine-grained access control and data privacy preservation. Firstly, considering node–edge–cloud collaborative computation, it outsources the significant computational overhead of data sharing from the owner and user to the edge nodes and the cloud. Secondly, integrating deeply with the “node–edge–cloud” scenario, the key distribution and agreement between all entities embedded in the encryption and decryption process, with a data privacy-preserving mechanism, improve the efficiency and security. Finally, our scheme supports flexible and dynamic access control policies and realizes hierarchical access control, thereby enhancing the user experience of data sharing. The theoretical analysis confirmed the security of our scheme, while the comparison experiments with other schemes demonstrated the practical feasibility and efficiency of our approach in node–edge–cloud collaborative computation.

Redactable Blockchain-Enabled Hierarchical Access Control Framework for Data Sharing in Electronic Medical Records

The application of blockchain to data sharing in an untrusted environment has received widespread industry attention in recent years. However, the tamper-proof property of blockchain brings protection for sharing data and also leads to a new limitation for the deletion of malicious data. Nowadays, many methods based on redactable blockchain with a chameleon hash is proposed to attempt to solve the above problem, but loss of effective access control to the modifiers can easily lead to breaking the positive characteristics of the blockchain. To address the aforementioned problem, a hierarchical access control redactable blockchain model for data sharing through attribute-based encryption and a chameleon hash is introduced. Under this model, the data owner can specify who can modify their data by setting an access policy and authenticating the modifier with a digital signature. The data owner's full control over rights is guaranteed, while the modifier's behavior is regulated. In addition, the hierarchical access control decentralized technique solves the overpowerful problem of center authority and single-point-of-failure problems in the existing works. The security analysis indicates that the proposed scheme achieves indistinguishable chosen plaintext attack security as well as collision resistance security. Performance analysis shows that the proposed scheme is more complete and has better efficiency compared with other schemes.

Review of hierarchical database access control for E-medicine systems.

Key management schemes for hierarchical access control enable users who have hierarchical relationships with each other to manage their secret keys efficiently. In these schemes, the users are divided into several groups, and all groups have their own central authorities. Each central authority is responsible for setting parameters and generating user's secret keys in a hierarchical structure such that all users efficiently derive their secret keys and solve dynamic access control problems. Several key management schemes with Health Insurance Portability Accountability Act regulations were recently proposed for hierarchical access control in e-medicine systems. However, these schemes either are insecure or require a large amount of storage and heavy computations. Therefore, this study reviews and discusses hierarchical access control schemes with privacy/security regulations for medical record databases.

Hierarchical Access Control in Cloud Computing

Access control is an essential security component of cloud computing, and hierarchical access management is of particular interest because different access privileges are granted in practice. As a solution to versatile and fine-grained hierarchical access control in cloud computing, this paper also presents a hierarchical key assignment scheme based on linear geometry. The encryption key of each class in the hierarchy is connected with a private vector and a public vector in our scheme, and the inner product of an ancestor class's private vector as well as the public variable of its decedent’s class could be used to deduce the encryption method of that descendant class. The proposed scheme is among the direct access strategies on hierarchical access control, which also means so each class at a higher level can straight derive this same encryption key of its decedent’s class without and need to iterate. In furthermore to this basic hierarchy key derivation, we propose a dynamic key management mechanism to handle possible changes in the hierarchy efficiently. Under the assumption of pseudo - random number functions, our scheme requires only light computations over a finite field by providing strong key in-distinguishability. Furthermore, the simulation demonstrates that our scheme maximises the trade-off among computation consumption as well as storage space.

Attribute-Based Hierarchical Access Control With Extendable Policy

Attribute-based encryption scheme is a promising mechanism to realize one-to-many fine-grained access control which strengthens the security in cloud computing. However, massive amounts of data and various data sharing requirements bring great challenges to the complex but isolated and fixed access structures in most of the existing attribute-based encryption schemes. In this paper, we propose an attribute-based hierarchical encryption scheme with extendable policy, called Extendable Hierarchical Ciphertext-Policy Attribute-Based Encryption (EH-CP-ABE), to improve the data sharing efficiency and security simultaneously. The scheme realizes the function of hierarchical encryption, in which, data with hierarchical access control relationships could be encrypted together flexibly to improve the efficiency. The scheme also achieves external and internal extension of the access structure to further encrypt newly added hierarchical data without updating the original ciphertexts or with only a minor update depending on the data sharing requirements, which simplifies the encryption process and greatly reduces the computation overhead. We formally prove the security of the scheme is IND-CCA secure in the random oracle model based on bilinear Diffie-Hellman assumption, and we also implement our scheme to demonstrate its efficiency and practicality.

A Hyperledger Fabric-Based System Framework for Healthcare Data Management

This study examined the requirements for privacy-preserving and interoperability in healthcare data sharing and proposed a blockchain-based solution. The Hyperledger Fabric framework was adopted due to its enterprise-grade data processing capabilities and enhanced privacy protection functions. In addition to the Fabric’s built-in privacy-preserving functions, healthcare data-specific smart contracts with hierarchical access control were developed to strengthen privacy protection in data sharing. The proposed healthcare data-sharing framework is based on Australian medical practices with the aim to upgrade, rather than to replace, the existing data management models. The outcome of this study demonstrates the feasibility of applying blockchain technology to improve privacy-preservation while enhancing interoperability in healthcare data management.

A Novel Hierarchical Key Assignment Scheme for Data Access Control in IoT

Hierarchical key assignment scheme is an efficient cryptographic method for hierarchical access control, in which the encryption keys of lower classes can be derived by the higher classes. Such a property is an effective way to ensure the access control security of Internet of Things data markets. However, many researchers on this field cannot avoid potential single point of failure in key distribution, and some key assignment schemes are insecure against collusive attack or sibling attack or collaborative attack. In this paper, we propose a hierarchical key assignment scheme based on multilinear map to solve the multigroup access control in Internet of Things data markets. Compared with previous hierarchical key assignment schemes, our scheme can avoid potential single point of failure in key distribution. Also the central authority of our scheme (corresponding to the data owner in IoT data markets) does not need to assign the corresponding encryption keys to each user directly, and users in each class can obtain the encryption key via only a one-round key agreement protocol. We then show that our scheme satisfies the security of key indistinguishability under decisional multilinear Diffie-Hellman assumption. Finally, comparisons show the efficiency of our scheme and indicates that our proposed scheme can not only resist the potential attacks, but also guarantee the forward and backward security.

Protocol-Based and Hybrid Access Control for the IoT: Approaches and Research Opportunities.

Internet of Things (IoT) applications and services are becoming more prevalent in our everyday life. However, such an interconnected network of intelligent physical entities needs appropriate security to sensitive information. That said, the need for proper authentication and authorization is paramount. Access control is in the front line of such mechanisms. Access control determines the use of resources only to the specified and authorized users based on appropriate policy enforcement. IoT demands more sophisticated access control in terms of its usability and efficiency in protecting sensitive information. This conveys the need for access control to serve system-specific requirements and be flexibly combined with other access control approaches. In this paper, we discuss the potential for employing protocol-based and hybrid access control for IoT systems and examine how that can overcome the limitations of traditional access control mechanisms. We also focus on the key benefits and constraints of this integration. Our work further enhances the need to build hierarchical access control for large-scale IoT systems (e.g., Industrial IoT (IIoT) settings) with protocol-based and hybrid access control approaches. We, moreover, list the associated open issues to make such approaches efficient for access control in large-scale IoT systems.

HEAD Metamodel: Hierarchical, Extensible, Advanced, and Dynamic Access Control Metamodel for Dynamic and Heterogeneous Structures.

The substantial advancements in information technologies have brought unprecedented concepts and challenges to provide solutions and integrate advanced and self-ruling systems in critical and heterogeneous structures. The new generation of networking environments (e.g., the Internet of Things (IoT), cloud computing, etc.) are dynamic and ever-evolving environments. They are composed of various private and public networks, where all resources are distributed and accessed from everywhere. Protecting resources by controlling access to them is a complicated task, especially with the presence of cybercriminals and cyberattacks. What makes this reality also challenging is the diversity and the heterogeneity of access control (AC) models, which are implemented and integrated with a countless number of information systems. The evolution of ubiquitous computing, especially the concept of Industry 4.0 and IoT applications, imposes the need to enhance AC methods since the traditional methods are not able to answer the increasing demand for privacy and security standards. To address this issue, we propose a Hierarchical, Extensible, Advanced, and Dynamic (HEAD) AC metamodel for dynamic and heterogeneous structures that is able to encompass the heterogeneity of the existing AC models. Various AC models can be derived, and different static and dynamic AC policies can be generated using its components. We use Eclipse (xtext) to define the grammar of our AC metamodel. We illustrate our approach with several successful instantiations for various models and hybrid models. Additionally, we provide some examples to show how some of the derived models can be implemented to generate AC policies.

An Enhanced Access Control Mechanism for Mobile Cloud Computing

Cloud computing is the emerging technology where resources are available pay as you go basis. Cloud storage technology provides the large pool of storage capacity to the cloud users. Providing security to the data stored in cloud is the major concern. So, Security can be enhanced by providing access control to the authorized users. Access control gives the authorization to the users which gives the access privileges on data and other resources. Access control can be enabled in most of the computing environment such as Peer to Peer, Grid and Cloud.Access control is an important measure for the protection of information and system resources to prevent illegitimate users from getting access to protected objects and legitimate users from attempting to access the objects in ways that exceed what they are allowed. The restriction placed on access from a subject to an object is determined by the access policy. With the rapid development of cloud computing, cloud security has increasingly become a common concern and should be dealt with seriously. In this paper, an enhanced access control mechanism is proposed with hierarchical attribute-based access control method.

Web Service Access Control Based on Browser Fingerprint Detection

Web services have covered all areas of social life, and various browsers have become necessary software on computers and mobile phones, and they are also the entrances to Web services. All kinds of threats to web data security continue to appear, so web services and browsers have become the focus of security. In response to the requirements of Web service for access entity identification and data access control, this paper proposes a multi-dimensional browser fingerprint detection method based on adversarial learning, and designs a Web service access control framework combined with browser fingerprint detection. Through the joint use of multi-dimensional browser features, adversarial learning is used to improve the accuracy and robustness of browser fingerprint detection; a cross-server and browser-side Web service access control framework is established by creating tags for Web data resources and access entities. Based on the mapping relationship between browser fingerprint detection entities and data resources, fine-grained hierarchical data access control is realized. Through experiments and analysis, the browser fingerprint detection method proposed in this paper is superior to existing machine learning detection methods in terms of accuracy and robustness. Based on the adversarial learning method, good detection results can be obtained in the case of a small number of user samples. At the same time, the open source data set is further used to verify the advantages of the method in this paper. The Web service access control framework can satisfy the requirements of Web data security control, is an effective supplement to user identification technology, and is implementable.

Granular Data Access Control with a Patient-Centric Policy Update for Healthcare.

Healthcare is a multi-actor environment that requires independent actors to have a different view of the same data, hence leading to different access rights. Ciphertext Policy-Attribute-based Encryption (CP-ABE) provides a one-to-many access control mechanism by defining an attribute’s policy over ciphertext. Although, all users satisfying the policy are given access to the same data, this limits its usage in the provision of hierarchical access control and in situations where different users/actors need to have granular access of the data. Moreover, most of the existing CP-ABE schemes either provide static access control or in certain cases the policy update is computationally intensive involving all non-revoked users to actively participate. Aiming to tackle both the challenges, this paper proposes a patient-centric multi message CP-ABE scheme with efficient policy update. Firstly, a general overview of the system architecture implementing the proposed access control mechanism is presented. Thereafter, for enforcing access control a concrete cryptographic construction is proposed and implemented/tested over the physiological data gathered from a healthcare sensor: shimmer sensor. The experiment results reveal that the proposed construction has constant computational cost in both encryption and decryption operations and generates constant size ciphertext for both the original policy and its update parameters. Moreover, the scheme is proven to be selectively secure in the random oracle model under the q-Bilinear Diffie Hellman Exponent (q-BDHE) assumption. Performance analysis of the scheme depicts promising results for practical real-world healthcare applications.

A Novel Attribute-Based Encryption Approach with Integrity Verification for CAD Assembly Models

Cloud manufacturing is one of the three key technologies that enable intelligent manufacturing. This paper presents a novel attribute-based encryption (ABE) approach for computer-aided design (CAD) assembly models to effectively support hierarchical access control, integrity verification, and deformation protection for co-design scenarios in cloud manufacturing. An assembly hierarchy access tree (AHAT) is designed as the hierarchical access structure. Attribute-related ciphertext elements, which are contained in an assembly ciphertext (ACT) file, are adapted for content keys decryption instead of CAD component files. We modify the original Merkle tree (MT) and reconstruct an assembly MT. The proposed ABE framework has the ability to combine the deformation protection method with a content privacy of CAD models. The proposed encryption scheme is demonstrated to be secure under the standard assumption. Experimental simulation on typical CAD assembly models demonstrates that the proposed approach is feasible in applications.

A Sensitive File Abnormal Access Detection Method Based on Application Classification

As the access control mode of notepad files cannot meet the requirements of risk control for sensitive file hierarchical access, this paper proposes an application classification-based detection method for abnormal access to sensitive files. The application classification and file classification, access control policy mapping, and basic and preset policy detection are designed. Combining the operating system’s identification control of different applications at runtime, we monitor the abnormal access of sensitive files by hierarchical applications. The cross-access experiment of different levels of application to different sensitive files verified the effectiveness and security of hierarchical access control strategy and sensitive file abnormal access detection and reduced the risk of disclosure of sensitive files.

Secure and efficient revocable key-aggregate cryptosystem for multiple non-predefined non-disjoint aggregate sets

Revocation and renewal of access rights of users are desirable requirements of a practical access control solution. Recently, key-aggregate cryptosystems have attracted significant attention of the research community, due to their elegance and efficiency, as a tool for access control enforcement. However, key-aggregate encryption schemes proposed so far in the literature are suitable only for enforcing static predefined access control policies. This paper proposes a novel key-aggregate encryption scheme that efficiently handles dynamic access control policies. The proposed scheme not only has all key-aggregate characteristics, but can also efficiently revoke/add any data class from/to a given aggregate set. Further, unlike conventional key-aggregate cryptosystems, the proposed scheme can introduce a new data class in the cryptosystem without having to initialize it all over again. The proposed scheme requires constant length master-secret to be stored by the data owner and is proved IND-CPA secure under standard model assumption. We define forward security for the proposed key-aggregate cryptosystem and formally prove that the proposed construction is secure under the definition of forward security. Performance analysis in a practical dynamic hierarchical access control scenario further confirms suitability of the proposed scheme for enforcing dynamic access control policies.