improving security and efficiency in attribute based...
TRANSCRIPT
IMPROVING SECURITY AND EFFICIENCY IN
ATTRIBUTE BASED DATA SHARING
NURUL SYAFIQAH BINTI JOHARI
BACHELOR OF COMPUTER SCIENCE
(NETWORK SECURITY)
UNIVERSITI SULTAN ZAINAL ABIDIN
2017
IMPROVING SECURITY AND EFFICIENCY IN ATTRIBUTE BASED DATA
SHARING
NURUL SYAFIQAH BINTI JOHARI
Bachelor of Computer Science (Network Security)
Faculty of Informatics and Computing
Universiti Sultan Zainal Abidin, Terengganu, Malaysia
MAY 2017
i
DECLARATION
I hereby declare that this report is based on my original work except for quotations
and citations, which have been duly acknowledged. I also declare that it has not been
previously or concurrently submitted for any other degree at Universiti Sultan Zainal
Abidin or other institutions.
________________________________
Name : Nurul Syafiqah Binti Johari
Date : ..................................................
ii
CONFIRMATION
This is to confirm that:
The research conducted and the writing of this report was under my supervisor.
________________________________
Name : Dr Ahmad Nazari Bin Mohd Rose
Date : ..................................................
iii
DEDICATION
Firstly and foremost praised to Allah, the most Merciful for giving bless and
opportunity to undergo the final year project, Improving Security and Efficiency in
Attribute Based Data Sharing. Besides, I would like to express my gratitude to my
supervisor, Dr Ahmad Nazari Bin Mohd Rose for his full support, expert guidance,
ideas, understanding, motivation and encouragement towards research of this project.
I feel so proudly to be supervised by Dr Ahmad Nazari Bin Mohd Rose with his
guidance and invaluable advices.
Next, I would to thank to the Faculty of Informatics and Computing for giving
me an opportunity to discover and explore new things as my final year project. Last
but not least, I would to thank my family, all others lecturers and my fellow friends for
helping me a lot of moral support in order to complete this final year project. I am
very pleasure for their kindness and encouragement that make me able to endure all
the hardship that I have face to complete this project.
iv
ABSTRACT
Nowadays, many people easily sharing data through network and computing
technology using online external storages. The key generation center (KGC) can
decrypt all cipher text addressed to specific users by generating their attribute keys.
This can be a potential threat to the data privacy in the data sharing system. To
overcome this problem, we improve the security in data sharing by attribute-based
encryption (ABE) which is a cryptographic approach that achieves fine-grained data
access control. Then, cipher text-policy attribute-based encryption (CP-ABE) scheme
can encrypt the attribute and secure data sharing system. The advantage of (CP-ABE)
is a major drawback which is known as a key escrow problem that can be solved by
escrow-free key issuing protocol. The key issuing protocol can generate user secret
key by use a secure two-party computation (2PC) protocol between the KGC and data
storing center with their own master secrets. In conclusion, we can more secure and
fine-grained data access control in the data sharing system by using (CP-ABE)
scheme. The data confidentiality can be cryptographically applied against any KGC or
data storing center in the scheme.
.
v
ABSTRAK
Pada masa kini, ramai orang dengan mudah berkongsi data melalui rangkaian
dan teknologi pengkomputeran menggunakan penyimpanan luar talian. “Key
Generation Center” (KGC) boleh menyahsulit semua “cipher text” yang
ditujukan kepada pengguna tertentu dengan menjana kunci atribut mereka. Ini
boleh menjadi satu ancaman kepada privasi data dalam sistem perkongsian data.
Untuk mengatasi masalah ini, kita meningkatkan keselamatan dalam perkongsian
data dengan “Attribute-Based Encrypton” (ABE) yang merupakan pendekatan
kriptografi yang mencapai kawalan akses data halus. Kemudian,“Cipher text
Policy Attribute-Based Encryption” (CP-ABE) boleh menyulitkan sifat dan sistem
perkongsian data yang selamat. Kelebihan (CP-ABE) merupakan kelemahan
utama yang dikenali sebagai masalah escrow utama yang boleh diselesaikan
dengan protokol pengeluaran utama escrow bebas. Protokol pengeluaran utama
boleh menjana pengguna kunci rahsia dengan menggunakan “secure two-party
computation” (2PC) antara KGC dan data menyimpan pusat dengan rahsia tuan
mereka sendiri. Kesimpulannya, kita boleh mengawal akses data lebih selamat
dan halus dalam sistem perkongsian data dengan menggunakan (CP-ABE) skim.
Kerahsiaan data boleh secara kriptografi digunakan terhadap mana-mana KGC
atau data menyimpan pusat dalam skim ini.
vi
CONTENTS
PAGE
DECLARATION i
CONFIRMATION ii
DEDICATION iii
ABSTRACT iv
ABSTRAK v
CONTENTS vi
CHAPTER I INTRODUCTION
1.1 Background 1
1.2 Problem statement 2
1.3 Objectives 2
1.4
1.5
Project Scopes
Limitation of work
3
3
CHAPTER II LITERATURE REVIEW
2.1 Introduction 4
2.2 Overview of Cipher text – Policy Attribute-Based
Encryption
4
2.3 Elements of Cipher text–Policy Attribute-Based
Encryption
5
2.4 RSA Cryptography 5
vii
2.5
2.6
Analysis of Existing Research Paper
2.5.1 Secure Data Sharing and Retrieval Using
Attribute-Based Encryption in Cloud-Based OSN
2.5.2 Cipher text-Policy Attribute Based Data-
Sharing with Enhanced Productivity and Security
2.5.3 A Survey on Attribute-based Encryption
Schemes of Access Control in Cloud
Environments
2.5.4 Applied Attribute-based Encryption Scheme
2.5.5 Cipher text Policy Attribute Based
Encryption Using 2Party Computation Protocol
Data Sharing
Summary
6
6
7
8
9
10
11
CHAPTER III
METHODOLOGY
3.1
3.2
Introduction
Waterfall Model
3.2.1 Requirement Gathering and Analysis
3.2.2 System Design
3.2.3 Implementation
3.2.4 Testing
3.2.5 Deployment of System
3.2.6 Maintenance
12
13-14
3.3 Technique Used 15
3.4 Why RSA Algorithm 16-17
viii
3.5
3.6
3.7
3.8
3.9
How RSA Algorithm works
3.4.1 How to Determine Suitable Value of e, d and
n
Diagram of Integration Data sharing with RSA
Algorithm
Framework of Project
Process Model of Data Sharing
Data Model of Data Sharing
18
19
20
21
22
REFERENCES 23
1
CHAPTER I
INTRODUCTION
1.1 Background
The data sharing model in distributed system such as online network have been
increasing request for distributed data security. The problems that have been arising
are the data by the storage server by outside users could be possible dangers to their
data with using the key generation center (KGC). The KGC is defined the process of
generating keys in cryptography. Furthermore, KGC can decrypt all messages or data
with using their private keys. Thus, KGC is not suitable for data sharing because the
owner want to make their private data that only can available to designated users key.
[6] By using technique Cipher text Policy Attribute-Based Encryption (CP-ABE), the
encrypted data can be kept private even if the storage server is untrusted but our
techniques are secure against conspiracy attacks. The CP-ABE is enabling to encrypt
the attribute set over a universe of attributes that a decrypt to possess in order to
decrypt the cipher text and apply it. [9]
2
1.2 Problem Statement
Security is an important thing in the data sharing. While the data are was sharing on
the network because there are several problem where the data is not secure. The
leakage of data may occur and intruders or attackers will steal or change the data. To
prevent the leakage of the data owner’s from intruders, attackers or unauthorized user;
the data owner should provide access to large amount of consumer while also being
able to efficiently cancel consumers from data access at any time. This project intends
to solve the problem when data sharing occur and to prevent leakage of data happened
through using Cipher text Policy Attribute-Based Encryption technique.
1.3 Objectives
a) To design a system using CP-ABE
b) To implement the encryption technique for data sharing using RSA
algorithm
c) To test and evaluate the successfulness of RSA algorithm in CP-ABE for
data sharing
3
1.4 Project Scope
This project is using JAVA language programming as a platform to develop this
application. A user friendly Graphic User Interface (GUI) will be developed by using
JAVA programming in NetBeans application. This interface will interact with user
throughout the process. The data that want to share will be encrypted by using RSA
algorithm. This project is mainly focused to protect data from other person in the
network by encrypting it and will send it in the social networks. The authorized user
that received the message will send the key request to the data owner. After receiving
the key from sender only the message will be decrypted
1.5 Limitation of Work
This project is about data sharing between two users in Attribute-Based Data Sharing
using CP-ABE technique and RSA algorithm. This project cannot be applied on many
users at the same time. As example, when User 1 want to share data to User 2 they can
use the one public key and one private key at that time. Thus, when came new User 3
they need to request the new public key to share the data.
4
CHAPTER 2
LITERATURE REVIEW
2.1 Introduction
The main objective of this project is to improve the security and efficiency in
attribute-based data sharing. This chapter describes the previous research that related
to on-going project. Furthermore, this chapter also describes the technique or method
to be taken in the implementation of projects. There are similar published studies
concerning about Cipher text-Policy Attribute Based Encryption (CP-ABE) and
Attribute Based Encryption. For this chapter, there are some reference such as journal
article, internet and thesis. However, there are less likely of this study to be related to
secure data sharing using RSA algorithm.
2.2 Overview of Cipher text Policy Attribute-Based Encryption
Cipher text Policy Attribute-Based Encryption is a type of identity-based encryption
that has one public key and master private key used to make more limited private
keys. Moreover, the attributes in the CP-ABE are attached to the user secret key and
access policy is attached to the cipher text. Thus, CP-ABE enables an encryption to
define the attribute set over a universe of attributes that a decryption needs to possess
in order to decrypt the cipher text and enforce it on the contents.[1]
5
2.3 Elements of Cipher text Policy Attribute-Based Encryption
There are four fundamental algorithms to be executed in CP-ABE which are Setup,
Keygen, Encrypt and Decrypt. Firstly, Setup algorithm takes no input other than
implicit security parameter and the output is the public parameters PK and a master
key MK. Secondly, Keygen algorithm. It is takes input as the master key MK and a set
of attributes S as key. Then, it outputs is private key SK. Next, Encrypt (PK, M, A)
takes the public parameters PK as input, M is a message and A is an access structure
over the universe of attributes. Lastly, Decrypt algorithm (PK, CT, SK) is as an
input in the public parameters PK, a CT cipher text which contain an access policy A
and private key for a set S of attributes.[8]
2.4 RSA Cryptography
The RSA Algorithm is named after Ron Rivest, Adi Shamir and Len Adleman that
who designed it in 1977. The RSA is the most widely-used public key cryptography
algorithm in the world. It can be used to encrypt message without need to exchange a
secret key separately. Furthermore, the RSA algorithm can be used for both public key
encryption and digital signatures. The public key cryptography is also known as an
asymmetric cryptography that used two different but it is mathematically linked keys
that contain one public and one private. Moreover, the RSA has provides a method the
confidentiality, integrity, authenticity and non-reputability of data storage. [2]
6
2.5 Analysis of Existing Research Paper
2.5.1 Secure Data Sharing and Retrieval Using Attribute Based Encryption in
Cloud Based OSNs
The outcome of this project is to allow data owners to outsource encrypted data to the
OSNs (Online Social Networks) service provider for sharing and enables data
disseminators to disseminate the data owner’s by converting new access policy that
based on using Cipher text Policy Attribute-Based Encryption (CP-ABE).
Furthermore, the most access control in OSNs is achieved by requiring the users to
manually maintain the Access Control List (ACL) which is inflexible and coarse-
grained. This means the users can only choose that either publish their data to all users
or grant authorities merely to their approved friends by manually maintaining ACL.
Based on Attribute-Based Encryption (ABE), the users can get a set of
attributes and the data owner can encrypt data with access policy. This will protect
data from unauthorized users or malicious OSNs service provider. Data security is
very important when sharing data thus the solution is encrypt data before sending it to
OSNs service provider. Then, users in OSNs can share their private data based on
Proxy re-encryption (PRE).[3]
7
2.5.2 Cipher text-Policy Attribute based Data Sharing with Enhanced
Productivity and Security
Attribute Based Encryption (ABE) is a technique that is suitable for storing data with
encryption. In this paper, the main objective is to improve the security data integrity.
The benefits of using ABE are reduces the communicational overhead of the Internet.
Furthermore, it is a fine grained access control. Thus, the major drawback is the Key
Escrow problem that’s means that can resolved by escrow free key issuing protocol
which is constructed by using the secure two-party computation between the data
centre and key generation centre. The proposed system in this project for system data
becomes more secure when applied CP-ABE in data sharing system.
Furthermore, in CP-ABE for users Key Generation Centre (KGC) will
generates private keys by applying the KGC’s master secret keys to users
corresponding set of attributes. The benefits are it is much secured data transfer with
advanced encryption technique so that other person cannot decrypt it easily. Then, the
receiver can send multiple key requests to the data owner for the single data.[1]
8
2.5.3 A Survey on Attribute-based Encryption Schemes of Access Control in
Cloud Environments
In Attribute-based Encryption schemes, the attributes play a very important role. The
attribute is to generate a public key for encrypting data and used as an access policy to
control user’s access. The access policy can be categorized as either key-policy or
cipher text-policy. The advantages of ABE schemes are to reduce the communication
overhead the Internet and also to provide a fine-grained access control. In this project,
the authors had survey a basic attribute-based encryption scheme, two various access
policy attribute based encryption-based encryption schemes and two various access
structures that are analyzed for cloud environments. Firstly, the Key-Policy Attribute-
based Encryption (KP-ABE) is proposed by Goyal in 2006.
This scheme uses as set attributes to describe the encrypted data and builds an
access policy in user’s private key. Secondly, the Cipher text-policy Attribute-Based
Encryption scheme by Bethencourt et al. in 2007 and the access policy in the
encrypted data cipher text. The access control method is same as key-policy
attributed-based encryption. In KP-ABE, the access policy is in user’s private key
while the access policy is switched to the encrypted data in CP-ABE. Thus, a set of
descriptive attributes are related with the user private key and the access policy is built
in the encrypted data. [7]
9
2.5.4 Applied Attribute-based Data Encryption Schemes
The schemes of Attribute-based Encryption (ABE) became most popular including
cipher text-policy and key-policy ABE. This article gives an overview about the
existing implementations and elaborates on value in specific cloud computing and IoT
application situations. There are many existing of cryptographic schemes that depend
on the idea of a secret key which is a private key within symmetric or asymmetric
cryptography. ABE is an asymmetric encryption schemes that means keys come in
pairs such as one key encrypts and the other one is decrypt. It is also called as public
key that use different keys for encryption and decryption.
The important characteristic of ABE is the prevention of collusion attacks.
There are two main options of ABE. Firstly, Cipher text-Policy ABE (CP-ABE) that is
Boolean formula is saved in the cipher text. The attributes that are needed is to satisfy
policies are saved in a private key. Secondly, Key-Policy ABE (KP-ABE) which is the
private keys that holds the formula and the cipher text saves attributes. In the IoT
world, securing the data transfer is sometimes difficult. By applying ABE schemes, it
will prove the security can be increase and have advantages such as grouping sensors
that share a certain characteristics and can apply attributes to them for end-to-end
encryption method are achievable. [6]
10
2.5.5 Cipher text Policy Attribute Based Encryption Using 2 Party
Computation Protocol in Data Sharing
Data sharing in distributed system such as in online social network that demands for
distributed data security. In this paper, it is proposed a Cipher text Policy Attribute
Based Encryption (CP-ABE) scheme for overcoming the key escrow problem by
solved it with using the secure two-party computation protocol between key
generation centre and data storing centre. Furthermore, the performance and security
analyses show that this scheme is efficient to securely manage the data distributed in
the data sharing system. The CP-ABE scheme is the most powerful cryptographic
solution to the issue of updates access policy in a distributed data sharing system.
In this paper, the author had proposed a 2 Party Computation Protocol that are
completely removes the problem of key escrow. The key escrow was removed by 2
PC Protocol that are establishes two secret key components where is one from the
KGC SK and another is from the data storing centre SK. [5]
11
2.6 Summary
In a nutshell, the security for data sharing is very important to secure our data from
being stolen from unauthorized user. A scheme to achieve more secure and fine
grained data access control in the data sharing system, it is should to demonstrate the
efficient and scalable to securely manage user data in the data sharing system.[4]
12
CHAPTER 3
METHODOLOGY
3.1 Introduction
This chapter reports the model development of a comprehensive framework taken in a
development system, application or implementation of study. The waterfall model has
been used in this project because it is simple, suitable and easy to understand and use.
In a waterfall model, each phase must be fully completed before the next phase can
begin. This model phase does not overlap.
Figure 1: Waterfall Model
Requirement gathering
and analysis
System design
Implementation
Testing
Deployment of System
Maintenance
13
3.2 Waterfall Model
This project used a sequential order and move to next step of development and testing
if the previous steps is successfully which a waterfall model is shown in Figure 1. The
waterfall model concept carried out in downward mechanism like water falls towards
down. In waterfall model, when the first step is complete and next step has to start in
development process. Thus, the waterfall model cannot revert back to the previous
step to perform any change.
3.2.1 Requirement Gathering and Analysis
In this phase, detailed requirement of the system to be developed are gathered.
Then, analysed all the gather requirements whether the requirements are valid
or invalid.
3.2.2 System Design
In this phase, all the system design is analysed and specified such as system
configuration and architecture of the system. Furthermore, it is contain
framework and use case diagram.
3.2.3 Implementation
In this phase, all the development works are achieved and development
components are handed over to testing team.
3.2.4 Testing
For testing phase, the testing team will test each component and make sure the
developed components are working as expected. All the testing activities are
performed in this phase.
14
3.2.5 Deployment of System
Once the testing phase is completed and make sure there is no any kind of
issue, then the project is ready to be deployed. Once the product is deployed to
production the end users can start using the product.
3.2.6 Maintenance
For keep the maintenance in a good condition, we must always keep eye on the
product and provide all the necessary issues fix if occurs in production and get
report by end users.
.
15
3.3 Technique Used
In this project, tools that have been used are latest NetBeans application to
develop data sharing system using JAVA programming language. Furthermore, RSA
algorithm is improved and integrate with the system that have been developed to make
encryption and decryption process. RSA is an asymmetric cryptographic algorithm
that means have two different keys. The asymmetric algorithms use different keys for
encryption and decryption. Thus, it is important because they can used for transmitting
encryption keys or other data securely even when the parties have no opportunity to
agree on a secret key in private. The most important, RSA implements a public-key
cryptosystem.
Moreover, Cipher text Policy Attribute-Based Encryption much more flexible
than plain identity-based encryption, it is allows complex rules specifying which
private keys can decrypt which is cipher texts. Specifically, the private keys are
associated with sets of attributes or labels, and when encrypt an access policy which
specifies which keys will be able to decrypt.
16
3.4 Why RSA algorithms:
RSA stands for Ron Rivest, Adi Shamir and Len Adleman, who first publicly
described it in 1977. In this project, using RSA algorithm to encrypt the data to
provide security so that only the concerned user can access it. By securing the data,
we are not allowing unauthorized access to it. User data is encrypted first and then it is
stored in the cloud. When it is required, user places a request for the data for the cloud
provider. Then, cloud provider will authenticate the user and delivers the data.
Furthermore, RSA is a block cipher in which every message is mapped to an integer.
RSA consists of public key and private key. [5]
In cloud environment, public key is recognized to all, whereas private key is
recognized only to the user who originally has the data. Thus, encryption is done by
the cloud service provider and decryption is done by the cloud user. Once the data is
encrypted with the public key, it can be decrypted with the private key only.
Moreover, the RSA algorithm has involves three operation where are key generation,
encryption and decryption. [10]
1) Key Generation
- The key generation algorithm takes the master key MK and a set of attributes
S that describe the key as input. It delivers a private key SK as the output.
2) Encryption
- The encryption algorithm consumes the public parameters PK, a message
M, and an access structure A as input. The algorithm will encrypt M and
produce a cipher text CT such that only a user that keeps a set of attributes
that fulfills the access structure will be able to decrypt the message.
3) Decryption
- The decryption algorithm takes the public parameters PK, a cipher text CT,
and a private key SK, as input. Then, the algorithm will decrypt the cipher
text and return a message M as output.
17
Key Generation
Select p, q p , q both prime, p ≠ q
Calculate n = p x q
Calculate ɸ (n) = (p-1) x (q-1)
Select integer e gcd (ɸ(n),e) = 1; 1 < e < ɸ (n)
Calculate d
Public key KU = {e , n}
Private key KR = {d , n}
Encryption
Plaintext : M < n
Cipher text : C = Me (mod n)
Decryption
Cipher text : C
Plaintext : M = Cd (mod n)
Table 1 : Operation of RSA Algorithm
18
3.5 How RSA Algorithm works
RSA is one of the first applied public-key cryptosystems and is widely used for secure
data transmission. In a cryptosystem, the encryption key is public and varies from the
decryption key which is kept secret. The RSA algorithm take advantage of on the fact
that there is no efficient way to factor very large (100-200 digit) numbers.
Using an encryption key (e, n), the algorithm is as follows:
1. Represent the message as an integer between 0 and (n-1). Large messages can
be broken up into a number of blocks. Each block would then be represented
by an integer in the same range.
2. Encrypt the message by raising it to the eth
power modulo n. The result is a
cipher text message C.
3. To decrypt cipher text message C, raise it to another power d modulo n
The encryption key (e, n) is made public. The decryption key (d, n) is kept private by
the user.
3.5.1 How to Determine Suitable Values for e, d, and n
1. Choose two very large (100+ digit) prime numbers. Denote these numbers
as p and q.
2. Set n equal to p * q.
3. Choose any large integer, d, such that GCD(d, ((p-1) * (q-1))) = 1
4. Find e such that e * d = 1 (mod ((p-1) * (q-1)))
19
3.6 Diagram of Integration Data Sharing with RSA Algorithm
Figure 2: Integration of Data Sharing of RSA
20
3.7 Framework of project
Figure 3: Framework
Data
Attribute
Encryption using
RSA algorithm
Cipher text
Encrypted
Attribute
Encrypted
Attribute
Access
Structure
Encryption
Cipher text
Decrypt using
RSA algorithm
Attribute
Verification
Plaintext
USER 1
USER 2
21
3.8 Process Model of Data Sharing
Figure 4: Use Case Diagram
Figure 4: Use Case Diagram
Register
Log In
Share Data
Upload
View Data
Encrypt
Decrypt
Download data
Log Out
USER 1 USER 2
22
3.9 Data Model of Data Sharing
Figure 5: Class Diagram
user1
+username
+password
+register ()
+log in ()
+share data ()
+encrypt data ()
+upload data ()
+view data ()
+log out ()
user2
+username
+password
+register ()
+log in ()
+view data ()
+decrypt data ()
+download data ()
+log out ()
23
REFERENCES
[1] K. Patil and V. Chitre, “Ciphertext-Policy Attribute based Data-Sharing with
Enhanced Productivity and Security,” vol. 4, no. 11, pp. 165–169, 2015.
[2] J. Jones, “The RSA algorithm,” ACM Commun. Comput. Algebr., no. June, pp.
1–11, 2008.
[3] Q. Huang, Z. Ma, Y. Yang, J. Fu, and X. Niu, “Secure data sharing and
retrieval using attribute-based encryption in cloud-based OSNs,” Chinese J.
Electron., vol. 23, no. 3, pp. 557–563, 2014.
[4] M. Pratheepa and R. Bharathi, “Improving Security and Efficiency in Attribute
Based Data Sharing,” vol. 3, no. 1, pp. 119–122, 2014.
[5] N. Y. Goshwe, “Data Encryption and Decryption Using RSA Algorithm in a
Network Environment,” vol. 13, no. 7, pp. 9–13, 2013.
[6] Junbeom Hur, "Improving Security and Efficiency in Attribute-Based Data
Sharing," vol. 25, no. 10, 2013.
[7] Cheng-Chi Lee, Pei Shan Chung and Min-Shiang Hwang, "A Survey on
Attribute-based Encryption Schemes of Access Control in Cloud
Environments," vol. 15, no. 4, pp. 231-240, 2013.
[8] John Bethencourt, Amit Sahai and Brent Waters," Ciphertext-Policy Attribute-
Based Encryption,"pp. 321-334, 2007.
[9] K.Gonnade and F.Zama, "Design Secure Sharing Protocol," vol. 4, no. 6, pp.
12449-12452, 2015.
[10] Matthew Pirretti, Pattrick Traynor , Pattrick Mcdaniel and Brent Waters,
"Secure Attribute-Based System," 2006.