role based access control to protect cloud data … · preserve data against the service provider...
TRANSCRIPT
ROLE BASED ACCESS CONTROL TO PROTECT
CLOUD DATA USING R3 SCHEME
S. Ranjith Kumar1, G. Pandian
1, D. Saravanan
1, Mr. R. Raja
2
1Department of Computer Science and Engineering, Velammal Institute of Technology, Panchetti Chennai
2Assistant Professor, Department of Computer science and Engineering, Velammal Institute of Technology
Corresponding Author Address:
S. Ranjith Kumar
Student Department of Computer Science and Engineering,
Velammal Institute of Technology,
Chennai, India.
ABSTRACT:
A key approach to secure cloud computing is for data owner to store encryption data in the
cloud. Then issue key to authorized user.When a user is revoked the data owner will issue re-
encryption commands to the cloud to re-encryption the data to prevent the revoked user from
decrypting the data and to generate new decryption key to validate user, so that they can
continues to access the data. The essence of Role-Based Access Control (RBAC) is that
system permissions are assigned to defined “roles” rather than to individual users using R3
scheme. The data owner will first generate a shared secret key to the CSP. Then, after the data
owner encrypts each file with the appropriate attribute structure and time slice, the data
owner uploads the file in the cloud. The CSP will replicate the file to various cloud servers.
Each cloud server will have a copy of the shared secret key.Let us assume that a cloud server
stores an encrypted file F with A and TSi. When a user queries that cloud server, the cloud
server first uses its own clock to determine the current time slice.
KEYWORDS: cloud computing, re-encryption, R3scheme, secret key, CSP, decryption,
RBAC.
INTRODUCTION
Security is one of the main user concerns for the adoption of Cloud computing. Moving data
to the Cloud usually implies relying on the Cloud Service Provider (CSP) for data protection.
Although this is usually managed based on legal or Service Level Agreements (SLA), the
CSP could potentially access the data or even provide it to third parties. Users may loss
control on their data. Even the trust on the federated CSPs is outside the control of the data
owner. Encryption is the most widely used method to protect data in the Cloud. Encrypting
data avoids undesired accesses. A rule-based approach would be desirable to provide
expressiveness. An RBAC approach would be closer to current access control methods,
resulting more natural to apply for access control enforcement than ABE-based mechanisms.
In terms of expressiveness, it is said that ABAC supersedes RBAC since roles can be
represented as attributes.
This paper presents SecRBAC, a data-centric access control solution for self-protected data
that can run in untrusted CSPs and provides extended Role-Based Access Control
International Journal of Scientific Research in Engineering (IJSRE) Vol. 1 (4), April, 2017
IJSRE Vol. 1 (4), April, 2017 www.ijsre.in Page 60
expressiveness. The proposed authorization solution provides a rule-based approach
following the RBAC scheme, where roles are used to ease the management of access to the
resources. This approach can help to control and manage security and to deal with the
complexity of managing access control in Cloud computing. Role and resource hierarchies
are supported by the authorization model, providing more expressiveness to the rules by
enabling the definition of simple but powerful rules that apply to several users and resources
thanks to privilege propagation through roles and hierarchies. Policy rule specifications are
based on Semantic Web technologies that enable enriched rule definitions and advanced
policy management features like conflict detection. A data-centric approach is used for data
self-protection, where novel cryptographic techniques such as Proxy Re-Encryption
Encryption (PRE), Identity- Based Encryption (IBE) and Identity-Based Proxy Re-
Encryption (IBPRE) are used. They allow to re-encrypt data from one key to another without
getting access and to use identities in cryptographic operations. These techniques are used to
protect both the data and the authorization model. Each piece of data is ciphered with its own
encryption key linked to the authorization model and rules are cryptographically protected to
preserve data against the service provider access or misbehavior when evaluating the rules. It
also combines a user-centric approach for authorization rules, where the data owner can
define a unified access control policy for his data. The solution enables a rule based approach
for authorization in Cloud systems where rules are under control of the data owner and access
control computation is delegated to the CSP, but making it unable to grant access to
unauthorized parties.
RELATED WORKS
Diverse methodologies can be found in the writing to hold control over approval in Cloud
figuring. In [13] creators propose to keep the approval choices taken by the information
proprietor. The get to model is not distributed to the Cloud but rather kept secure on the
information proprietor premises. Be that as it may, in this approach the CSP turns into a
minor stockpiling framework and the information proprietor ought to be online to process get
to demands from clients. Another approach from [14] manages this issue by empowering a
module component in the CSP that permits information proprietors to convey their own
security modules. These licenses to control the approval systems utilized inside a CSP.
Notwithstanding, it doesn't set up how the approval model ought to be secured, so the CSP
could possibly gather data and get to the information. In addition, this approach does not
cover Inter-cloud situations, since the module ought to be conveyed to various CSPs. Also,
these methodologies don't ensure information with encryption techniques. In the proposed
SecRBAC arrangement, data encryption is used to prevent the CSP to access the data or to
discharge it bypassing the approval component. In any case, applying information encryption
infers extra difficulties identified with approval expressiveness. Taking after a direct
approach, one can incorporate information in a bundle encoded for the planned clients. This
is generally done when sending a file or archive to a specific collector and guarantees that
exclusive the beneficiary with the fitting key can unscramble it. From an approval
perspective, this can be viewed as a basic lead where just the client with benefit to get to the
International Journal of Scientific Research in Engineering (IJSRE) Vol. 1 (4), April, 2017
IJSRE Vol. 1 (4), April, 2017 www.ijsre.in Page 61
information will have the capacity to decode. Just that basic control can be upheld and only
one single lead can apply to every information bundle.
Consequently, numerous encoded duplicates ought to be made with a specific end goal to
convey similar information to various recipients. To adapt to these issues, SecRBAC takes
after an information driven approach that can cryptographically ensure the information while
giving access control abilities. A few information driven methodologies, generally in light of
Attribute-based Encryption (ABE) [5], have emerged for information security in the Cloud
[4]. In ABE, the scrambled cipher text is named with an arrangement of properties by the
information proprietor. Clients likewise have an arrangement of qualities defined in their
private keys. They would have the capacity to get to information (i.e. unscramble it) or not
relying upon the match amongst cipher text and key qualities. The arrangement of properties
required by a client to unscramble the information is defined by a get to structure, which is
specified as a tree with and additionally hubs.
There are two principle approaches for ABE relying upon where the get to structure lives:
Key-Policy ABE (KP-ABE) [5] and Ciphertext-Policy ABE (CP-ABE) [3]. In KP-ABE the
get to structure or strategy is defined inside the private keys of clients. This permits to
scramble information marked with qualities and afterward control the entrance to such
information by conveying the proper keys to clients. Be that as it may, for this situation the
strategy is truly defined by the key guarantor rather than the encryptor of information, i.e. the
information proprietor. Along these lines, the information proprietor ought to put stock in the
key guarantor for this to appropriately create a satisfactory get to strategy. To unravel this
issue, CP-ABE proposes to incorporate the get to structure inside the ciperthext, which is
under control of the information proprietor. At that point, the key guarantor just attests the
traits of clients by incorporating them in private keys. In any case, either in KP-ABE or CP-
ABE, the expressiveness of the get to control approach is constrained to mixes of AND-ed or
potentially ed traits. The information driven arrangement exhibited in this paper goes a stage
forward regarding expressiveness, giving a govern based approach taking after the RBAC
plot that is not fixing to the impediments of current ABE approaches. Diverse proposition
have been additionally created to attempt to reduce ABE expressiveness confinements.
Creators in [15] propose an answer in light of CP-ABE with support for sets.
Traits are sorted out in a recursive set structure and get to arrangements can be defined upon a
solitary set or consolidating qualities from various sets. This empowers the definition of
compound traits and specification of approaches that influence the characteristics of a set. An
approach named Hierarchical Attribute-based Encryption is introduced in [16]. It utilizes a
various leveled era of keys to accomplish fine-grain get to control, versatility and
appointment. Notwithstanding, this approach suggests that traits ought to be managed by the
same root domain authority. In[17], authors amplify CP-ASBE with a various leveled
structure to clients keeping in mind the end goal to enhance versatility and flexibility. This
approach gives progressive key structure. Another approach is Flexible and Efficient Access
Control Scheme (FEACS) [2]. It depends on KP-ABE and gives a get to control structure
spoke to by an equation including AND, OR and NOT, empowering more expressiveness for
KP-ABE. The previously mentioned ABE-based arrangements proposed for understanding
access control in Cloud registering depend on the Attribute-based Access Control (ABAC)
International Journal of Scientific Research in Engineering (IJSRE) Vol. 1 (4), April, 2017
IJSRE Vol. 1 (4), April, 2017 www.ijsre.in Page 62
display. As remarked in Section 1, both ABAC and RBAC models have their own favorable
circumstances and hindrances [7] [9]. On one hand, RBAC may require the definition of
countless for fine-grain approval (part blast issue in RBAC). ABAC is additionally simpler to
set up without need to try on part investigation as required for RBAC. On another hand,
ABAC may bring about countless since a framework with n credits would have up to 2n
conceivable rule combinations(rule explosion problem in ABAC).ABAC isolates approval
rules from client properties, making it difficult to decide authorizations accessible to a
specific user, while RBAC is deterministi can privileges can be effortlessly controlled by the
information proprietor. In addition, the cryptographic operations utilized as a part of ABE
methodologies typically confine the level of expressiveness gave by the get to control rules.
Solidly, part chain of importance and protest progression abilities gave by SecRBAC can't be
accomplished by current ABE plans. Also, private keys in ABE ought to contain the qualities
of the client, which tights the keys to consents in the get to control approach. In SecRBAC,
client keys just recognize their holders and they are not attached to the approval display. That
is, client benefits are totally free of their private key. At last, no client driven approach for
approval guidelines is given by current ABE arrangements. In SecRBAC, a solitary get to
arrangement defined by the information proprietor can ensure more than one bit of
information, bringing about a client driven approach for govern administration. Moreover, the
proposed arrangement offers help for the ontological portrayal of the approval demonstrate,
giving extra thinking instruments to adapt to issues, for example, recognition of conflicts
between various approval rules.
PROPOSED METHODOLOGY
We proposed a reliable re-encryption scheme in unreliable cloud .R3 is the time based re-
encryption scheme,which allows each cloud services to automatically re-encrypt data based
on its internal clock. The basic idea of this R3 is to associate the data with an access control
and access time. Each user is issued key associated with attibutes and attribute effective time.
Data-centric solution with data protection for the Cloud Service Provider to be unable to
access it. Rule-based approach for authorization where rules are under control of the data
owner. High expressiveness for authorization rules applying the RBAC scheme with role
hierarchy and resource hierarchy.
Role Manager
Role Manager provides user registration service to register user profile that includes a user
ID, password, and provide a small amount of additional information, including affiliation,
country, and a valid e-mail address and importantly role of the users. This information is
never provided to any application without a user's explicit permission.
Encryption/Decryption Algorithm:
Blowfish is a symmetric block cipher algorithm for encryption/decryption. Blowfish is
accepted as a fast and strong encryptison algorithm because it has not been cracked. Blowfish
is fixed 64 bit block cipher and a takes key length from 32-448bits. Total 16 processing
International Journal of Scientific Research in Engineering (IJSRE) Vol. 1 (4), April, 2017
IJSRE Vol. 1 (4), April, 2017 www.ijsre.in Page 63
rounds of data encryption is performed in Blowfish. This algorithm is divided into two parts-
(i) Key expansion and (ii) Data encryption. In key expansion process 448 bits key is
converted into 4168 bytes. The advantages of blowfish algorithm are that it is secure and easy
to implement and best for hardware implementation, but the disadvantage is it require more
space for the cipher text because of difference between key size and block size.
Time Based One Time Password:
Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time
password from a shared secret key and the current time. It has been adopted as Internet
standard RFC 6238,[1] is the cornerstone of Initiative For Open Authentication (OATH) and
is used in a number of authentication systems.
TOTP is an example of a hash-based message authentication code (HMAC). It combines a
secret key with the current timestamp using a cryptographic hash function to generate a one-
time password. The timestamp typically increases in 30-second intervals, so passwords
generated close together in time from the same secret key will be equal.
User Login
A login, logging in or logging on is the entering of identifier information into a system by a
user in order to access that system (e.g., a computer or a website). It is an integral part of
computer security procedures.A login generally requires the user to enter two pieces of
information, first a user name and then a password. This information is entered into
a login window on a GUI (graphical user interface) or on the command line in a console (i.e.,
an all-text mode screen), depending on the system and situation. A user name, also referred to
as an account name, is a string (i.e., sequence of characters) that uniquely identifies a user.
User names can be the same as or related to the real names of users, or they can be
completely arbitrary.
Key Generator Login:
A key generator is used in many cryptographic protocols to generate a sequence with many
pseudo-random characteristics.
SETUP AND RESULTS
Given Below we have provided the setup of the portal
Figure-1 Overall Architecture Diagram
International Journal of Scientific Research in Engineering (IJSRE) Vol. 1 (4), April, 2017
IJSRE Vol. 1 (4), April, 2017 www.ijsre.in Page 64
During this process the user can register through client interface and get their data encrypted
using re-encryption. One public key will be handled by the cloud server and private key will
be maintained by the data owner. CSP will handle the private key which encrypt the data in
the privacy table. when another user tried to access or modify the data in cloud,propwer
access permission is needed. Once permission is issued data is accessed without any
retriction. The key manager is responsible for generating the key and sending requested key
to client through mail. Once key is received, the user will decrypt the data.Role manager is
respsible for assigning the roles to users. Cloud admin taking the accessibilities of role
manager.
Figure-2 Index Page
Figure-3 Client registration interfaces
Figure-4 Client upload files
Figure-5 View of uploaded file before
encryption
Figure-6 Encrypted file view
Figure-7 Key Generator to send key
CONCLUSION
In this article, we have investigated the privacy challenges in the Cloud computing by first
identifying the data privacy requirements and then discussing whether existing privacy-
preserving techniques are sufficient for data processing. We have also introduced an efficient
International Journal of Scientific Research in Engineering (IJSRE) Vol. 1 (4), April, 2017
IJSRE Vol. 1 (4), April, 2017 www.ijsre.in Page 65
and privacy-preserving Two-level encryption in response to the efficiency and privacy
requirements of data mining in the cloud.
REFERENCES
1. IBM, “Big Data at the Speed of Business,” http://www-1.ibm.com/software/data/bigdata/,
2012.
2. X. Wu et al., “Data Mining with Big Data,” IEEE Trans. Knowledge DataEng., vol. 26,
no. 1, 2014, pp. 97–107.
3. S. Liu, “Exploring the Future of Computing,” IT Professional, vol. 15, no.1, 2013, pp.2-3.
4. Oracle, “Oracle Big Data for the Enterprise,”
http://www.oracle.com/caen/technologies/big-data, 2012.
5. “Big Data at CSAIL,” http://bigdata.csail.mit.edu/
6. R. Lu et al., “EPPA: An Efficient and Privacy-Preserving Aggregation Shemefor Secure
Smart Grid Communications,” IEEE Trans. Parallel Distrib. Sys.,vol. 23, no. 9, 2012, pp.
1621–31.
7. P. Paillier, “Public-Key Cryptosystems based on Composite Degree Residuosity Classes,”
EUROCRYPT, 1999, pp. 223–38.
8. M. Li et al., “Toward Privacy-Assured and Searchable Cloud Data StorageServices,”
IEEE Network, vol. 27, no. 4, 2013, pp. 1–10.
9. A. Cavoukian and J. Jonas, “Privacy by Design in the Age of Big Data,”Office of the
Information and Privacy Commissioner, 2012.
10. R. Lu, X. Lin, and X. Shen, “SPOC: A Secure and Privacy-Preserving Opportunistic
Computing Framework for Mobile-Healthcare Emergency,”
11. J. W. Byun and D. H. Lee, “On a security model of conjunctive keyword search over
encrypted relational database,” J. Syst. Softw., vol. 84, no. 8, pp. 1364–1372, 2011.
12. M. Ding, F. Gao, Z. Jin, and H. Zhang, “An efficient public key encryption with
conjunctive keyword search scheme based on pairings,” in Proc. 3rd IEEEInt. Conf.
Netw. Infrastruct. Digit. Content (IC-NIDC), Beijing, China, Sep. 2012, pp. 526–530.
13. J. Shao, Z. Cao, X. Liang, and H. Lin, “Proxy re-encryption with keyword search,” Inf.
Sci., vol. 180, no. 13, pp. 2576–2587, 2010.
14. W.-C. Yau, R. C.-W. Phan, S.-H. Heng, and B.-M. Goi, “Proxy re-encryption with
keyword search re-encryption with keyword search: New definitions and algorithms,” in
Proc. Int. Conf. Security Technol., vol. 122. Jeju Island, Korea, Dec. 2010, pp. 149–160.
15. L. Fang, W. Susilo, C. Ge, and J. Wang, “Chosen-ciphertext secure anonymous
conditional proxy re-encryption with keyword search,” Theoretical Comput. Sci., vol.
462, pp. 39–58, Nov. 2012.
16. X. A. Wang, X. Huang, X. Yang, L. Liu, and X. Wu, “Further observation on proxy re-
encryption with keyword search,” J. Syst. Softw., vol. 85, no. 3, pp. 643–654, 2012.
17. R. Canetti, O. Goldreich, and S. Halevi, “The random oracle methodology, revisited,” J.
ACM, vol. 51, no. 4, pp. 557–594, 2004.
18. M. Bellare, A. Boldyreva, and A. Palacio, “An uninstantiable randomoracle-model
scheme for a hybrid-encryption problem,” in Proc. Int. Conf. Theory Appl. Cryptogr.
Techn. (EUROCRYPT), vol. 3027. Interlaken, Switzerland, May 2004, pp. 171–188.
International Journal of Scientific Research in Engineering (IJSRE) Vol. 1 (4), April, 2017
IJSRE Vol. 1 (4), April, 2017 www.ijsre.in Page 66
19. J. W. Byun, H. S. Rhee, H.-A. Park, and D. H. Lee, “Offline keyword guessing attacks on
recent keyword search schemes over encrypted data,” in Proc. 3rd VLDB Workshop
Secure Data Manage. (SDM), vol. 4165. Seoul, Korea, Sep. 2006, pp. 75–83.
20. W.-C. Yau, R. C.-W. Phan, S.-H. Heng, and B.-M. Goi, “Keyword guessing attacks on
secure searchable public key encryption schemes with a designated tester,” Int. J.
Comput. Math., vol. 90, no. 12, pp. 2581–2587, 2013.
International Journal of Scientific Research in Engineering (IJSRE) Vol. 1 (4), April, 2017
IJSRE Vol. 1 (4), April, 2017 www.ijsre.in Page 67