DAC-MACS: Effective Data Access Control for
Multi-Authority Cloud Storage Systems
ABSTRACT
Data access control is an effective way to ensurethe data security in the cloud. However, due to data outsourcingand untrusted cloud servers, the data access control becomesa challenging issue in cloud storage systems. Existing accesscontrol schemes are no longer applicable to cloud storage systems,because they either produce multiple encrypted copies of the samedata or require a fully trusted cloud server.
Ciphertext-PolicyAttribute-based Encryption (CP-ABE) is a promising techniquefor access control of encrypted data. It requires a trustedauthority manages all the attributes and distributes keys in thesystem. In cloud storage systems, there are multiple authoritiesco-exist and each authority is able to issue attributes independently.However, existing CP-ABE schemes cannot be directlyapplied to the access control for multi-authority cloud storagesystems, due to the inefficiency of decryption and revocation.
Existing System
Due to data outsourcing and untrusted cloud servers, the data access control becomesa challenging issue in cloud storage systemsExisting access control schemes are no longer applicable to cloud storage systems,because they either produce multiple encrypted copies of the same data or require a fully trusted cloud server.
Dis advantage:
However, cloud storage service separatesthe roles of the data owner from the data service provider, andthe data owner does not interact with the user directly for providingdata access service, which makes the data access controla challenging issue in cloud storage systems. Because thecloud server cannot be fully trusted by data owners,traditionalserver-based access control methods are no longer applicableto cloud storage systems.
Proposed System
we first construct a new multi-authority CPABEscheme with efficient decryption and design an efficientattribute revocation method for it. Then, we apply them todesign an effective access control scheme for multi-authoritysystems. The main contributions of this work can be summarizedas follows.
1) We propose DAC-MACS (Data Access Control forMulti-Authority Cloud Storage), an effective and securedata access control scheme for multi-authority cloudstorage systems, which is provably secure in the randomoracle model and has better performance than existingschemes.
2) We construct a new multi-authority CP-ABE schemewith efficient decryption. Specifically, we outsource themain computation of the decryption by using a tokenbaseddecryption method.
3)We also design an efficient immediate attribute revocationmethod for multi-authority CP-ABE scheme thatachieves both forward security and backward security. Itis efficient in the sense that it incurs less communicationcost and computation cost of the revocation.
System Configuration:-
H/W System Configuration:-
Processor - Pentium –III
Speed - 1.1 Ghz
RAM - 256 MB(min)
Hard Disk - 20 GB
Floppy Drive - 1.44 MB
Key Board - Standard Windows Keyboard
Mouse - Two or Three Button Mouse
Monitor - SVGA
S/W System Configuration:-
Operating System :Windows95/98/2000/XP
Application Server : Tomcat5.0/6.X
Front End : HTML, Java, Jsp
Scripts : JavaScript.
Server side Script : Java Server Pages.
Database : Mysql 5.0
Database Connectivity : JDBC.
IMPLEMENTATION
Implementation is the stage of the project when the theoretical design is turned out into a working system. Thus it can be considered to be the most critical stage in achieving a successful new system and in giving the user, confidence that the new system will work and be effective.
The implementation stage involves careful planning, investigation of the existing system and it’s constraints on implementation, designing of methods to achieve changeover and evaluation of changeover methods.
Main Modules:-
Algorithm used: CP-ABE algorithms
1. Global trusted certificate authority:
The CA is a global trusted certificate authority in the system.It sets up the system and accepts the registration of all theusers and AAs in the system. The CA is responsible for thedistribution of global secret key and global public key for each
legal user in the system. However, the CA is not involved inany attribute management and the creation of secret keys thatare associated with attributes. For example, the CA can be theSocial Security Administration, an independent agency of theUnited States government. Each user will be issued a SocialSecurity Number (SSN) as its global identity.
2.Attribute Authority:
Every AA is an independent attribute authority that is responsible for issuing, revoking and updating user’s attributes
according to their role or identity in its domain. In DACMACS,
every attribute is associated with a single AA, but each AA can manage an arbitrary number of attributes. Every AA has full control over the structure and semantics of its attributes. Each AA is responsible for generating a public attribute keyfor each attribute it manages and a secret key for each userassociates with their attributes.
3. Cloud Server :
The cloud server stores the owners’ data and provides dataaccess service to users. It generates the decryption token ofa ciphertext for the user by using the secret keys of the userissued by the AAs. The server also does the ciphertext updatewhen an attribute revocation happens.
4. Data Owner:
The data owners define the access policies and encryptthe data under the policies before hosting them in the cloud.They do not rely on the server to do the data access control.Instead, the ciphertext can be accessed by all the legal usersin the system. But, the access control happens inside thecryptography. That is only when the user’s attributes satisfythe access policy defined in the ciphertext, the user can decryptthe ciphertext.
5. User :
Each user is assigned with a global user identity from the
CA. Each user can freely get the ciphertexts from the server.To decrypt a ciphertext, each user may submit their secretkeys issued by some AAs together with its global public keyto the server and ask it to generate an decryption token forsome ciphertext. Upon receiving the decryption token, the usercan decrypt the ciphertext by using its global secret key. Onlywhen the user’s attributes satisfy the access policy defined inthe ciphertext, the server can generate the correct decryptiontoken. The secret keys and the global user’s public key can bestored on the server; subsequently, the user does not need tosubmit any secret keys if no secret keys are updated for thefurther decryption token generation.
Architecture: