ABE based Access Control with Authenticated Dynamic Policy Updating in Clouds
International Journal of Security and Its Applications
Attribute-Based Encryption (ABE) is a promising cryptographic primitive to implement access control for secure data storage in the cloud. Since the data owner may frequently change the access policies defined in the ciphertext, it is significant to provide the capacity for dynamic policy updating. However the cloud should also authenticate the owner because the adversary may modify the access policies of the files in the cloud to prevent the legal users from accessing them. In this paper, we
... n this paper, we focus on the owner's authentication in the ABE systems and propose a novel scheme which enables access control with authenticated dynamic policy updating in the cloud. We adapt the Pedersen commitment and Zero Knowledge Proof of Knowledge (ZKPK) to realize the anonymous authentication of the owner's policy updating key without increasing any secret information to the owner side. The analysis shows that our scheme is authentic and efficient as well as adaptive to different types of access policies. problem when the owner sends a policy updating request to the cloud. We take advantage of Pedersen commitment and Zero Knowledge Proof of Knowledge (ZKPK) to implement a CP-ABE which enables the cloud to verify whether the access policy updating request for the specific file is issued by the actual data owner. If a malicious owner attempts to update the access policy to other owners' files, the cloud server will refuse to update the corresponding ciphertexts' access policies. Thereby, the security and availability of actual data owners will be preserved. Our Contributions. We formulate the authentication problem when the access policy needs to be updated. In order to make the cloud qualified to authenticate the data owners, we extend the original scheme of ciphertext-policy ABE with dynamic policy updating in  . The core idea of our method is using Pedersen commitment and ZKPK to adapt to the policy updating algorithms. By adding an interact communication between cloud and data owner, the cloud could authenticate the owner without learning anything of the owner's data. Finally, we propose an access control system with authenticated dynamic policy updating for the cloud storage and our ideas could also be applied to other ABE systems. We first give necessary preliminary information in section 2 and describe the system model and security model in section 3. Then we present a new access control scheme with authenticated dynamic policy updating in clouds on an adapted CP-ABE method in  in section 4. We give a comprehensive analysis of our scheme in security and performance in section 5. Finally, we state our conclusion in section 6.