research-article

Enforcing authorizations while protecting access confidentiality

Authors: Sabrina De Capitani di Vimercati, Sara Foresti, Stefano Paraboschi, Gerardo Pelosi, Pierangela SamaratiAuthors Info & Claims

Journal of Computer Security, Volume 26, Issue 2

Pages 143 - 175

https://doi.org/10.3233/JCS-171004

Published: 01 January 2018 Publication History

Abstract

Cloud computing is the reference paradigm to provide data storage and management in a convenient and scalable manner. However, moving data to the cloud raises several issues, including the confidentiality of data and of accesses that are no more under the direct control of the data owner. The shuffle index has been proposed as a solution for addressing these issues when data are stored at an external third party.

In this paper, we extend the shuffle index with support for access control, that is, for enforcing authorizations on data. Our approach is based on the use of selective encryption and on the organization of data and authorizations in two shuffle indexes. Owners regulate access to their data through authorizations that allow different users to access different portions of the data, while, at the same time, the confidentiality of accesses is guaranteed. The proposed approach also supports update operations over the outsourced data collection (i.e., insertion, removal, and update) as well as of the access control policy (i.e., grant and revoke). Also, our approach protects the nature of each access operation, making revoke operations and resource removal operations indistinguishable by the storing server and/or observing users.

References

[1]

M. Atallah, M. Blanton, N. Fazio and K. Frikken, Dynamic and efficient key management for access hierarchies, ACM TISSEC 12(3) (2009), 1–43.

Digital Library

[2]

E. Bacis, S. De Capitani di Vimercati, S. Foresti, S. Paraboschi, M. Rosa and P. Samarati, Mix&Slice: Efficient access revocation in the cloud, in: Proc. of CCS, Vienna, Austria, 2016.

[3]

J. Bethencourt, A. Sahai and B. Waters, Ciphertext-policy attribute-based encryption, in: Proc. of IEEE S&P, Oakland, CA, 2007.

[4]

C. Cachin, S. Micali and M. Stadler, Computationally private information retrieval with polylogarithmic communication, in: Proc. of EUROCRYPT, Prague, Czech Republic, 1999.

[5]

S. De Capitani di Vimercati, S. Foresti, S. Jajodia, G. Livraga, S. Paraboschi and P. Samarati, Enforcing dynamic write privileges in data outsourcing, Computers & Security 39 (2013), 47–63.

Digital Library

[6]

S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, G. Pelosi and P. Samarati, Encryption-based policy enforcement for cloud storage, in: Proc. of SPCC, Genova, Italy, 2010.

[7]

S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi and P. Samarati, Over-encryption: Management of access control evolution on outsourced data, in: Proc. of VLDB, Vienna, Austria, 2007.

[8]

S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi and P. Samarati, Encryption policies for regulating access to outsourced data, ACM TODS 35(2) (2010), 1–46.

Digital Library

[9]

S. De Capitani di Vimercati, S. Foresti, S. Paraboschi, G. Pelosi and P. Samarati, Efficient and private access to outsourced data, in: Proc. of ICDCS, Minneapolis, MN, 2011.

[10]

S. De Capitani di Vimercati, S. Foresti, S. Paraboschi, G. Pelosi and P. Samarati, Supporting concurrency and multiple indexes in private access to outsourced data, JCS 21(3) (2013), 425–461.

[11]

S. De Capitani di Vimercati, S. Foresti, S. Paraboschi, G. Pelosi and P. Samarati, Shuffle index: Efficient and private access to outsourced data, ACM TOS 11(4) (2015), 1–55.

Digital Library

[12]

S. De Capitani di Vimercati, S. Foresti, S. Paraboschi, G. Pelosi and P. Samarati, Access control for the shuffle index, in: Proc. of DBSec, Trento, Italy, 2016.

[13]

S. De Capitani di Vimercati, S. Foresti, S. Paraboschi, G. Pelosi and P. Samarati, Three-server swapping for access confidentiality, IEEE TCC (2016), pre-print.

[14]

S. Devadas, M. van Dijk, C.W. Fletcher, L. Ren, E. Shi and D. Wichs, Onion ORAM: A constant bandwidth blowup oblivious RAM, in: Proc. of TCC, Tel Aviv, Israel, 2016.

[15]

O. Goldreich, Towards a theory of software protection and simulation by oblivious RAMs, in: Proc. of STOC, New York, NY, 1987.

[16]

V. Goyal, A. Jain, O. Pandey and A. Sahai, Bounded ciphertext policy attribute based encryption, in: Proc. of ICALP, Reykjavik, Iceland, 2008.

[17]

V. Goyal, O. Pandey, A. Sahai and B. Waters, Attribute-based encryption for fine-grained access control of encrypted data, in: Proc. of CCS, Alexandria, VA, 2006.

[18]

M. Green, S. Hohenberger and B. Waters, Outsourcing the decryption of ABE ciphertexts, in: Proc. of USENIX, San Francisco, CA, 2011.

[19]

H. Hacigümüs, B. Iyer, S. Mehrotra and C. Li, Executing SQL over encrypted data in the database-service-provider model, in: Proc. of SIGMOD, Madison, WI, 2002.

[20]

M.S. Islam, M. Kuzu and M. Kantarcioglu, Inference attack against encrypted range queries on outsourced databases, in: Proc. of CODASPY, San Antonio, TX, USA, 2014.

[21]

R. Jhawar and V. Piuri, Fault tolerance management in IaaS clouds, in: Proc. of ESTEL, Rome, Italy, 2012.

[22]

R. Jhawar and V. Piuri, Fault tolerance and resilience in cloud computing environments, in: Computer and Information Security Handbook, 2nd edn, J. Vacca, ed., Morgan Kaufmann, 2013.

[23]

R. Jhawar, V. Piuri and P. Samarati, Supporting security requirements for resource management in cloud computing, in: Proc. of CSE, Paphos, Cyprus, 2012.

[24]

A.B. Lewko, T. Okamoto, A. Sahai, K. Takashima and B. Waters, Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption, in: Proc. of EUROCRYPT, French Riviera, France, 2010.

[25]

P. Lin and K. Candan, Hiding traversal of tree structured data from untrusted data stores, in: Proc. of WOSIS, Porto, Portugal, 2004.

[26]

R. Ostrovsky, Efficient computation on oblivious RAMs, in: Proc. of STOC, Baltimore, MD, 1990.

[27]

R. Ostrovsky, A. Sahai and B. Waters, Attribute-based encryption with non-monotonic access structures, in: Proc. of CCS, Alexandria, VA, 2007.

[28]

R. Ostrovsky and W.E. Skeith, III, A survey of single-database private information retrieval: Techniques and applications, in: Proc. of PKC, Beijing, China, 2007.

[29]

M. Raykova, H. Zhao and S.M. Bellovin, Privacy enhanced access control for outsourced data sharing, in: Proc. of FC, Kralendijk, Bonaire, 2012.

[30]

L. Ren, C. Fletcher, A. Kwon, E. Stefanov, E. Shi, M. Van Dijk and S. Devadas, Constants count: Practical improvements to oblivious RAM, in: Proc. of USENIX, Washington, DC, 2015.

[31]

A. Sahai and B. Waters, Fuzzy identity-based encryption, in: Proc. of EUROCRYPT, Aarhus, Denmark, 2005.

[32]

P. Samarati and S. De Capitani di Vimercati, Cloud security: Issues and concerns, in: Encyclopedia on Cloud Computing, S. Murugesan and I. Bojanova, eds, Wiley, 2016.

[33]

E. Stefanov and E. Shi, ObliviStore: High performance oblivious cloud storage, in: Proc. of IEEE S&P, San Francisco, CA, 2013.

[34]

E. Stefanov, M. van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu and S. Devadas, Path ORAM: An extremely simple oblivious RAM protocol, in: Proc. of CCS, Berlin, Germany, 2013.

[35]

C. Wang, N. Cao, K. Ren and W. Lou, Enabling secure and efficient ranked keyword search over outsourced cloud data, IEEE TPDS 23(8) (2012), 1467–1479.

Digital Library

[36]

B. Waters, Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization, in: Proc. of PKC, Taormina, Italy, 2011.

[37]

P. Williams, R. Sion and B. Carbunar, Building castles out of mud: Practical access pattern privacy and correctness on untrusted storage, in: Proc. of CCS, Alexandria, VA, 2008.

[38]

K. Yang, X. Jia, K. Ren, B. Zhang and R. Xie, DAC-MACS: Effective data access control for multiauthority cloud storage systems, IEEE TIFS 8(11) (2013), 1790–1801.

Index Terms

Enforcing authorizations while protecting access confidentiality¹

Index terms have been assigned to the content through auto-classification.

Recommendations

Protecting outsourced data in cloud computing through access management

Data outsourcing is a major component for cloud computing because data owners are able to distribute resources to external services for sharing with users and organizations. A crucial problem for owners is how to secure sensitive information accessed by ...
Shuffle Index: Efficient and Private Access to Outsourced Data
Special Issue USENIX FAST 2015

Data outsourcing and cloud computing have been emerging at an ever-growing rate as successful approaches for allowing users and companies to rely on external services for storing and managing data. As data and access to them are not under the control of ...
Designing and evaluating weighted delegatable authorizations

This paper studies logic-based methods for representing and evaluating complex access control policies needed by modern applications. In our framework, authorization and delegation rules are specified in a weighted delegatable authorization program, ...

Comments

Information & Contributors

Information

Published In

cover image Journal of Computer Security

Journal of Computer Security Volume 26, Issue 2

2018

137 pages

ISSN:0926-227X

Issue’s Table of Contents

© 2018 – IOS Press and the authors. All rights reserved.

Publisher

IOS Press

Netherlands

Publication History

Published: 01 January 2018

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents