role based access control to protect cloud data … · preserve data against the service provider...

ROLE BASED ACCESS CONTROL TO PROTECT

CLOUD DATA USING R3 SCHEME

S. Ranjith Kumar1, G. Pandian

1, D. Saravanan

1, Mr. R. Raja

2

1Department of Computer Science and Engineering, Velammal Institute of Technology, Panchetti Chennai

2Assistant Professor, Department of Computer science and Engineering, Velammal Institute of Technology

Corresponding Author Address:

S. Ranjith Kumar

Student Department of Computer Science and Engineering,

Velammal Institute of Technology,

Chennai, India.

ABSTRACT:

A key approach to secure cloud computing is for data owner to store encryption data in the

cloud. Then issue key to authorized user.When a user is revoked the data owner will issue re-

encryption commands to the cloud to re-encryption the data to prevent the revoked user from

decrypting the data and to generate new decryption key to validate user, so that they can

continues to access the data. The essence of Role-Based Access Control (RBAC) is that

system permissions are assigned to defined “roles” rather than to individual users using R3

scheme. The data owner will first generate a shared secret key to the CSP. Then, after the data

owner encrypts each file with the appropriate attribute structure and time slice, the data

owner uploads the file in the cloud. The CSP will replicate the file to various cloud servers.

Each cloud server will have a copy of the shared secret key.Let us assume that a cloud server

stores an encrypted file F with A and TSi. When a user queries that cloud server, the cloud

server first uses its own clock to determine the current time slice.

KEYWORDS: cloud computing, re-encryption, R3scheme, secret key, CSP, decryption,

RBAC.

INTRODUCTION

Security is one of the main user concerns for the adoption of Cloud computing. Moving data

to the Cloud usually implies relying on the Cloud Service Provider (CSP) for data protection.

Although this is usually managed based on legal or Service Level Agreements (SLA), the

CSP could potentially access the data or even provide it to third parties. Users may loss

control on their data. Even the trust on the federated CSPs is outside the control of the data

owner. Encryption is the most widely used method to protect data in the Cloud. Encrypting

data avoids undesired accesses. A rule-based approach would be desirable to provide

expressiveness. An RBAC approach would be closer to current access control methods,

resulting more natural to apply for access control enforcement than ABE-based mechanisms.

In terms of expressiveness, it is said that ABAC supersedes RBAC since roles can be

represented as attributes.

This paper presents SecRBAC, a data-centric access control solution for self-protected data

that can run in untrusted CSPs and provides extended Role-Based Access Control

International Journal of Scientific Research in Engineering (IJSRE) Vol. 1 (4), April, 2017

IJSRE Vol. 1 (4), April, 2017 www.ijsre.in Page 60

expressiveness. The proposed authorization solution provides a rule-based approach

following the RBAC scheme, where roles are used to ease the management of access to the

resources. This approach can help to control and manage security and to deal with the

complexity of managing access control in Cloud computing. Role and resource hierarchies

are supported by the authorization model, providing more expressiveness to the rules by

enabling the definition of simple but powerful rules that apply to several users and resources

thanks to privilege propagation through roles and hierarchies. Policy rule specifications are

based on Semantic Web technologies that enable enriched rule definitions and advanced

policy management features like conflict detection. A data-centric approach is used for data

self-protection, where novel cryptographic techniques such as Proxy Re-Encryption

Encryption (PRE), Identity- Based Encryption (IBE) and Identity-Based Proxy Re-

Encryption (IBPRE) are used. They allow to re-encrypt data from one key to another without

getting access and to use identities in cryptographic operations. These techniques are used to

protect both the data and the authorization model. Each piece of data is ciphered with its own

encryption key linked to the authorization model and rules are cryptographically protected to

preserve data against the service provider access or misbehavior when evaluating the rules. It

also combines a user-centric approach for authorization rules, where the data owner can

define a unified access control policy for his data. The solution enables a rule based approach

for authorization in Cloud systems where rules are under control of the data owner and access

control computation is delegated to the CSP, but making it unable to grant access to

unauthorized parties.

RELATED WORKS

Diverse methodologies can be found in the writing to hold control over approval in Cloud

figuring. In [13] creators propose to keep the approval choices taken by the information

proprietor. The get to model is not distributed to the Cloud but rather kept secure on the

information proprietor premises. Be that as it may, in this approach the CSP turns into a

minor stockpiling framework and the information proprietor ought to be online to process get

to demands from clients. Another approach from [14] manages this issue by empowering a

module component in the CSP that permits information proprietors to convey their own

security modules. These licenses to control the approval systems utilized inside a CSP.

Notwithstanding, it doesn't set up how the approval model ought to be secured, so the CSP

could possibly gather data and get to the information. In addition, this approach does not

cover Inter-cloud situations, since the module ought to be conveyed to various CSPs. Also,

these methodologies don't ensure information with encryption techniques. In the proposed

SecRBAC arrangement, data encryption is used to prevent the CSP to access the data or to

discharge it bypassing the approval component. In any case, applying information encryption

infers extra difficulties identified with approval expressiveness. Taking after a direct

approach, one can incorporate information in a bundle encoded for the planned clients. This

is generally done when sending a file or archive to a specific collector and guarantees that

exclusive the beneficiary with the fitting key can unscramble it. From an approval

perspective, this can be viewed as a basic lead where just the client with benefit to get to the



information will have the capacity to decode. Just that basic control can be upheld and only

one single lead can apply to every information bundle.

Consequently, numerous encoded duplicates ought to be made with a specific end goal to

convey similar information to various recipients. To adapt to these issues, SecRBAC takes

after an information driven approach that can cryptographically ensure the information while

giving access control abilities. A few information driven methodologies, generally in light of

Attribute-based Encryption (ABE) [5], have emerged for information security in the Cloud

[4]. In ABE, the scrambled cipher text is named with an arrangement of properties by the

information proprietor. Clients likewise have an arrangement of qualities defined in their

private keys. They would have the capacity to get to information (i.e. unscramble it) or not

relying upon the match amongst cipher text and key qualities. The arrangement of properties

required by a client to unscramble the information is defined by a get to structure, which is

specified as a tree with and additionally hubs.

There are two principle approaches for ABE relying upon where the get to structure lives:

Key-Policy ABE (KP-ABE) [5] and Ciphertext-Policy ABE (CP-ABE) [3]. In KP-ABE the

get to structure or strategy is defined inside the private keys of clients. This permits to

scramble information marked with qualities and afterward control the entrance to such

information by conveying the proper keys to clients. Be that as it may, for this situation the

strategy is truly defined by the key guarantor rather than the encryptor of information, i.e. the

information proprietor. Along these lines, the information proprietor ought to put stock in the

key guarantor for this to appropriately create a satisfactory get to strategy. To unravel this

issue, CP-ABE proposes to incorporate the get to structure inside the ciperthext, which is

under control of the information proprietor. At that point, the key guarantor just attests the

traits of clients by incorporating them in private keys. In any case, either in KP-ABE or CP-

ABE, the expressiveness of the get to control approach is constrained to mixes of AND-ed or

potentially ed traits. The information driven arrangement exhibited in this paper goes a stage

forward regarding expressiveness, giving a govern based approach taking after the RBAC

plot that is not fixing to the impediments of current ABE approaches. Diverse proposition

have been additionally created to attempt to reduce ABE expressiveness confinements.

Creators in [15] propose an answer in light of CP-ABE with support for sets.

Traits are sorted out in a recursive set structure and get to arrangements can be defined upon a

solitary set or consolidating qualities from various sets. This empowers the definition of

compound traits and specification of approaches that influence the characteristics of a set. An

approach named Hierarchical Attribute-based Encryption is introduced in [16]. It utilizes a

various leveled era of keys to accomplish fine-grain get to control, versatility and

appointment. Notwithstanding, this approach suggests that traits ought to be managed by the

same root domain authority. In[17], authors amplify CP-ASBE with a various leveled

structure to clients keeping in mind the end goal to enhance versatility and flexibility. This

approach gives progressive key structure. Another approach is Flexible and Efficient Access

Control Scheme (FEACS) [2]. It depends on KP-ABE and gives a get to control structure

spoke to by an equation including AND, OR and NOT, empowering more expressiveness for

KP-ABE. The previously mentioned ABE-based arrangements proposed for understanding

access control in Cloud registering depend on the Attribute-based Access Control (ABAC)



display. As remarked in Section 1, both ABAC and RBAC models have their own favorable

circumstances and hindrances [7] [9]. On one hand, RBAC may require the definition of

countless for fine-grain approval (part blast issue in RBAC). ABAC is additionally simpler to

set up without need to try on part investigation as required for RBAC. On another hand,

ABAC may bring about countless since a framework with n credits would have up to 2n

conceivable rule combinations(rule explosion problem in ABAC).ABAC isolates approval

rules from client properties, making it difficult to decide authorizations accessible to a

specific user, while RBAC is deterministi can privileges can be effortlessly controlled by the

information proprietor. In addition, the cryptographic operations utilized as a part of ABE

methodologies typically confine the level of expressiveness gave by the get to control rules.

Solidly, part chain of importance and protest progression abilities gave by SecRBAC can't be

accomplished by current ABE plans. Also, private keys in ABE ought to contain the qualities

of the client, which tights the keys to consents in the get to control approach. In SecRBAC,

client keys just recognize their holders and they are not attached to the approval display. That

is, client benefits are totally free of their private key. At last, no client driven approach for

approval guidelines is given by current ABE arrangements. In SecRBAC, a solitary get to

arrangement defined by the information proprietor can ensure more than one bit of

information, bringing about a client driven approach for govern administration. Moreover, the

proposed arrangement offers help for the ontological portrayal of the approval demonstrate,

giving extra thinking instruments to adapt to issues, for example, recognition of conflicts

between various approval rules.

PROPOSED METHODOLOGY

We proposed a reliable re-encryption scheme in unreliable cloud .R3 is the time based re-

encryption scheme,which allows each cloud services to automatically re-encrypt data based

on its internal clock. The basic idea of this R3 is to associate the data with an access control

and access time. Each user is issued key associated with attibutes and attribute effective time.

Data-centric solution with data protection for the Cloud Service Provider to be unable to

access it. Rule-based approach for authorization where rules are under control of the data

owner. High expressiveness for authorization rules applying the RBAC scheme with role

hierarchy and resource hierarchy.

Role Manager

Role Manager provides user registration service to register user profile that includes a user

ID, password, and provide a small amount of additional information, including affiliation,

country, and a valid e-mail address and importantly role of the users. This information is

never provided to any application without a user's explicit permission.

Encryption/Decryption Algorithm:

Blowfish is a symmetric block cipher algorithm for encryption/decryption. Blowfish is

accepted as a fast and strong encryptison algorithm because it has not been cracked. Blowfish

is fixed 64 bit block cipher and a takes key length from 32-448bits. Total 16 processing



rounds of data encryption is performed in Blowfish. This algorithm is divided into two parts-

(i) Key expansion and (ii) Data encryption. In key expansion process 448 bits key is

converted into 4168 bytes. The advantages of blowfish algorithm are that it is secure and easy

to implement and best for hardware implementation, but the disadvantage is it require more

space for the cipher text because of difference between key size and block size.

Time Based One Time Password:

Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time

password from a shared secret key and the current time. It has been adopted as Internet

standard RFC 6238,[1] is the cornerstone of Initiative For Open Authentication (OATH) and

is used in a number of authentication systems.

TOTP is an example of a hash-based message authentication code (HMAC). It combines a

secret key with the current timestamp using a cryptographic hash function to generate a one-

time password. The timestamp typically increases in 30-second intervals, so passwords

generated close together in time from the same secret key will be equal.

User Login

A login, logging in or logging on is the entering of identifier information into a system by a

user in order to access that system (e.g., a computer or a website). It is an integral part of

computer security procedures.A login generally requires the user to enter two pieces of

information, first a user name and then a password. This information is entered into

a login window on a GUI (graphical user interface) or on the command line in a console (i.e.,

an all-text mode screen), depending on the system and situation. A user name, also referred to

as an account name, is a string (i.e., sequence of characters) that uniquely identifies a user.

User names can be the same as or related to the real names of users, or they can be

completely arbitrary.

Key Generator Login:

A key generator is used in many cryptographic protocols to generate a sequence with many

pseudo-random characteristics.

SETUP AND RESULTS

Given Below we have provided the setup of the portal

Figure-1 Overall Architecture Diagram



During this process the user can register through client interface and get their data encrypted

using re-encryption. One public key will be handled by the cloud server and private key will

be maintained by the data owner. CSP will handle the private key which encrypt the data in

the privacy table. when another user tried to access or modify the data in cloud,propwer

access permission is needed. Once permission is issued data is accessed without any

retriction. The key manager is responsible for generating the key and sending requested key

to client through mail. Once key is received, the user will decrypt the data.Role manager is

respsible for assigning the roles to users. Cloud admin taking the accessibilities of role

manager.

Figure-2 Index Page

Figure-3 Client registration interfaces

Figure-4 Client upload files

Figure-5 View of uploaded file before

encryption

Figure-6 Encrypted file view

Figure-7 Key Generator to send key

CONCLUSION

In this article, we have investigated the privacy challenges in the Cloud computing by first

identifying the data privacy requirements and then discussing whether existing privacy-

preserving techniques are sufficient for data processing. We have also introduced an efficient


IJSRE Vol. 1 (4), April, 2017 www.ijsre.in 5

and privacy-preserving Two-level encryption in response to the efficiency and privacy

requirements of data mining in the cloud.

REFERENCES

1. IBM, “Big Data at the Speed of Business,” http://www-1.ibm.com/software/data/bigdata/,

2012.

2. X. Wu et al., “Data Mining with Big Data,” IEEE Trans. Knowledge DataEng., vol. 26,

no. 1, 2014, pp. 97–107.

3. S. Liu, “Exploring the Future of Computing,” IT Professional, vol. 15, no.1, 2013, pp.2-3.

4. Oracle, “Oracle Big Data for the Enterprise,”

http://www.oracle.com/caen/technologies/big-data, 2012.

5. “Big Data at CSAIL,” http://bigdata.csail.mit.edu/

6. R. Lu et al., “EPPA: An Efficient and Privacy-Preserving Aggregation Shemefor Secure

Smart Grid Communications,” IEEE Trans. Parallel Distrib. Sys.,vol. 23, no. 9, 2012, pp.

1621–31.

7. P. Paillier, “Public-Key Cryptosystems based on Composite Degree Residuosity Classes,”

EUROCRYPT, 1999, pp. 223–38.

8. M. Li et al., “Toward Privacy-Assured and Searchable Cloud Data StorageServices,”

IEEE Network, vol. 27, no. 4, 2013, pp. 1–10.

9. A. Cavoukian and J. Jonas, “Privacy by Design in the Age of Big Data,”Office of the

Information and Privacy Commissioner, 2012.

10. R. Lu, X. Lin, and X. Shen, “SPOC: A Secure and Privacy-Preserving Opportunistic

Computing Framework for Mobile-Healthcare Emergency,”

11. J. W. Byun and D. H. Lee, “On a security model of conjunctive keyword search over

encrypted relational database,” J. Syst. Softw., vol. 84, no. 8, pp. 1364–1372, 2011.

12. M. Ding, F. Gao, Z. Jin, and H. Zhang, “An efficient public key encryption with

conjunctive keyword search scheme based on pairings,” in Proc. 3rd IEEEInt. Conf.

Netw. Infrastruct. Digit. Content (IC-NIDC), Beijing, China, Sep. 2012, pp. 526–530.

13. J. Shao, Z. Cao, X. Liang, and H. Lin, “Proxy re-encryption with keyword search,” Inf.

Sci., vol. 180, no. 13, pp. 2576–2587, 2010.

14. W.-C. Yau, R. C.-W. Phan, S.-H. Heng, and B.-M. Goi, “Proxy re-encryption with

keyword search re-encryption with keyword search: New definitions and algorithms,” in

Proc. Int. Conf. Security Technol., vol. 122. Jeju Island, Korea, Dec. 2010, pp. 149–160.

15. L. Fang, W. Susilo, C. Ge, and J. Wang, “Chosen-ciphertext secure anonymous

conditional proxy re-encryption with keyword search,” Theoretical Comput. Sci., vol.

462, pp. 39–58, Nov. 2012.

16. X. A. Wang, X. Huang, X. Yang, L. Liu, and X. Wu, “Further observation on proxy re-

encryption with keyword search,” J. Syst. Softw., vol. 85, no. 3, pp. 643–654, 2012.

17. R. Canetti, O. Goldreich, and S. Halevi, “The random oracle methodology, revisited,” J.

ACM, vol. 51, no. 4, pp. 557–594, 2004.

18. M. Bellare, A. Boldyreva, and A. Palacio, “An uninstantiable randomoracle-model

scheme for a hybrid-encryption problem,” in Proc. Int. Conf. Theory Appl. Cryptogr.

Techn. (EUROCRYPT), vol. 3027. Interlaken, Switzerland, May 2004, pp. 171–188.



19. J. W. Byun, H. S. Rhee, H.-A. Park, and D. H. Lee, “Offline keyword guessing attacks on

recent keyword search schemes over encrypted data,” in Proc. 3rd VLDB Workshop

Secure Data Manage. (SDM), vol. 4165. Seoul, Korea, Sep. 2006, pp. 75–83.

20. W.-C. Yau, R. C.-W. Phan, S.-H. Heng, and B.-M. Goi, “Keyword guessing attacks on

secure searchable public key encryption schemes with a designated tester,” Int. J.

Comput. Math., vol. 90, no. 12, pp. 2581–2587, 2013.



role based access control to protect cloud data … · preserve data against the service provider...

Documents