International Journal of Computer Systems (ISSN: 2394-1065), Volume 03 Issue 02, February, 2016

Available at http://www.ijcsonline.com/

Decentralized Access Control Based Crime Analysis

a

Badhusha S , aChippy Raju, aDhanya V.S, aNazila A.N, aSyamini S, bSuja Vijayan, cJooby E

College of Engineering, Perumon, Kerala, India

Department of Information Technology, College of Engineering, Perumon, Kerala, India
C
Department of computer science, College of Engineering, Perumon, Kerala, India

Abstract
For securing data in cloud, we propose a new privacy preserving authenticated access control scheme. In this scheme,
mainly cloud verifies the users authenticity. And this be done without knowing the users identity before storing
information. It also has some added features of access control in which, only the authorized or valid users are able to
decrypt the stored information. It also support modification, creation and reading data within the cloud and prevent
replay attacks. One of the main advantages of this scheme is the authentication and access control. But in other schemes
access control designed for clouds are centralized. And the scheme is also robust and decentralized. The properties that
are comparable to centralized approaches are communication, computation and storage.
Keywords: Access control, authentication, attribute based signature, attribute based encryption, cloud storage.

I.

INTRODUCTION

Cloud computing, also known as 'on-demand

computing', is a kind of Internet-based computing, where
shared resources, data and information are provided to
computers and other devices on-demand. Cloud computing
has now become a highly demanded service or utility due
to the advantages of high computing power, cheap cost of
services, high performance, scalability, accessibility as well
as availability. Cloud vendors are experiencing growth. As
cloud computing provides storage space, a large amount of
redundant data is being stored and shared by users with
specified privilege, which define the access rights of the
stored data. In cloud computing by using the internet users
can outsource their computation and storage to servers.
This help the servers from the hassles of maintaining
resources on-site. One significant challenge of cloud
storage services is the management of the ever-increasing
volume of data. Cloud computing provides a low cost,
scalable, location independent infrastructure for data
management and storage. The rapid adoption of cloud
services is accompanied by increasing volumes of data
stored at remote servers, hence techniques for saving disk
space and network bandwidth are needed. A central
upcoming concept in this context is deduplication, where
the server stores a single copy of each file, in spite of how
many clients asked to store that file. All clients that store
the file merely use links to the single copy of the file stored
at the server. Moreover, if the server already has a copy of
the file then clients do not even need to store it again to the
server, thus saving bandwidth as well as storage. In a
typical storage system with deduplication, a client first
uploads the data, the third party auditor which is a trusted
one ,computes the hash value from the data which is
uploaded by the user and this hash value acts as the
convergent key and the third party auditor checks if that
hash value already exists in its database. if the hash is not

in the database then the entire file will be stored in the

cloud and the corresponding convergent key will be stored
in the hash table. Otherwise, since the file already exists
,the convergent key will be in the hash table (potentially
uploaded by someone else),then the convergent key
generated for the already uploaded file will be shared to the
current user thereby only one physical copy exists in the
cloud. That is, only one physical copy of that redundant file
is stored in the cloud. Several types of services like
applications are provided by cloud. Since servers are
provided to a remote server security and privacy are of
major concern in cloud computing. User privacy is one of
the important factor. The cloud can hold the user
accountable for the data it outsources and likewise the
cloud itself accountable for the services it provides.
Access control in clouds is gaining attention because it
is important that only authorized users have access to valid
service. A huge amount of information is being stored in
the cloud, and much of this is sensitive information. Care
should be taken to ensure access control of this sensitive
information which can often be related to health, important
documents (as in Google Docs or Dropbox) or even
personal information (as in social networking). There are
broadly three types of access control: user-based access
control (UBAC), role-based access control (RBAC), and
attribute-based access control (ABAC). In UBAC, the
access control list contains the list of users who are
authorized to access data.
This is not feasible in clouds where there are many
users. In RBAC users are classified based on their
individual roles. Data can be accessed by users who have
matching roles. The roles are defined by the system. For
example, only faculty members and senior secretaries
might have access to data but not the junior secretaries.
ABAC is more extended in scope, in which users are given
attributes, and the data has attached access policy. Only

94 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

Badhusha S et al

Decentralized Access Control Based Crime Analysis

users with valid set of attributes, satisfying the access

policy, can access the data. All these work use a
cryptographic primitive known as attribute based
encryption (ABE). The extensible access control markup
language proposed for ABAC in clouds.
An area where access control is widely being used is
health care. Clouds are being used to store sensitive
information about patients to enable access to medical
professionals, hospital staff, researchers, and policy
makers. It is important to control the access of data so that
only authorized users can access the data. Using ABE, the
records are encrypted under some access policy and stored
in the cloud. Users are given sets of attributes and
corresponding keys. Only when the users have matching
set of attributes, can they decrypt the information stored in
the cloud. Access control is also gaining importance in
online social networking where users (members) store their
personal information, pictures, videos and share them with
selected groups of users or communities they belong to.
Such data are being stored in clouds. It is very important
that only the authorized users are given access to those
information
However, the authors take a centralized approach where
a single key distribution center (KDC) distributes secret
keys and attributes to all users. Unfortunately, a single
KDC is not only a single point of failure but difficult to
maintain because of the large number of users that are
supported in a cloud environment. We, therefore,
emphasize that clouds should take a decentralized approach
while distributing secret keys and attributes to users. It is
also quite natural for clouds to have many KDCs in
different locations in the world
we extend our previous work with added features that
enables to authenticate the validity of the message without
revealing the identity of the user who has stored
information in the cloud. In this version we also address
user revocation.
We use ABS scheme to achieve authenticity and
privacy. our scheme is resistant to replay attacks, in which
a user can replace fresh data with stale data from a previous
write, even if it no longer has valid claim policy. This is an
important property because a user, revoked of its attributes,
might no longer be able to write to the cloud. We,
therefore, add this extra feature in our scheme . Our scheme
also allows writing multiple times which was not permitted
in our earlier work .

1.1 Our Contributions

The main contributions of this paper are the following:
1. Distributed access control of data stored in cloud so
that only authorized users with valid attributes can access
them.
2. Authentication of users who store and modify their
data on the cloud.
3. The identity of the user is protected from the cloud
during authentication.
4. The architecture is decentralized, meaning that there
can be several KDCs for key management.

5. The access control and authentication are both

collusion resistant, meaning that no two users can collude
and access data or authenticate themselves, if they are
individually not authorized.
6. Revoked users cannot access data after they have
been revoked.
7. The proposed scheme is resilient to replay attacks. A
writer whose attributes and keys have been revoked cannot
write back stale information.
8. The protocol supports multiple read and write on the
data stored in the cloud.
9. The costs are comparable to the existing centralized
approaches, and the expensive operations are mostly done
by the cloud.
II.

RELATED WORK

In ABE, a user has a set of attributes in addition to its

unique ID. There are two classes of ABEs. In key-policy
ABE or KP-ABE (Goyal et al. [27]), the sender has an
access policy to encrypt data. A writer whose attributes and
keys have been revoked cannot write back stale
information. The receiver receives attributes and secret
keys from the attribute authority and is able to decrypt
information if it has matching attributes. In Ciphertextpolicy, CP-ABE ([28], [29]), the receiver has the access
policy in the form of a tree, with attributes as leaves and
monotonic access structure with AND, OR and other
threshold gates. All the approaches take a centralized
approach and allow only one KDC, which is a single point
of failure. Chase [30] proposed a multi authority ABE, in
which there are several KDC authorities (coordinated by a
trusted authority) which distribute attributes and secret
keys to users. Multi authority ABE protocol was studied in
[31] and [32], which required no trusted authority which
requires every user to have attributes from at all the KDCs
III.

IMPLEMENTATION

In this section, we present our cloud storage model,

adversary model and the assumptions we have made in the
paper. Table 1 presents the notations used throughout the
paper. We also describe mathematical background used in
our proposed solution.
A. Assumptions
We make the following assumptions in our work:
1. The cloud is honest-but-curious, which means that
the cloud administrators can be interested in viewing users
content, but cannot modify it. Honest-but-curious model of
adversaries do not tamper with data so that they can keep
the system functioning normally and remain undetected.
2. Users can have either read or write or both accesses
to a file stored in the cloud.
3. All communications between users/clouds are
secured by secure shell protocol, SSH.
B. Formats of Access Policies
Access policies can be in any of the following formats:
a. Boolean functions of attributes,

95 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

Badhusha S et al

Decentralized Access Control Based Crime Analysis

b. Linear secret sharing scheme (LSSS) matrix of the

data [1], or
c. Monotone span programs

Then, HABE scheme is defined by presenting

randomized polynomial time algorithms as follows:

Setup (K)(params,MK0): The RM takes a

sufficiently large security parameter K as input, and
outputs system parameters params and root master key
MK0.
CreateDM(params,MKi, PKi+1) (MKi+1): Whether
the RM or the DM generates master keys for the DMs
directly under it using params and its master key.
CreateUser(params,MKi, PKu, PKa) (SKi,u,
SKi,u,a):
The DM first checks whether U is eligible for a, which
is administered by itself. If so, it generates a user identity
secret key and a user attribute secret key for U, using
params and its master key; otherwise, it outputs NULL.

Attribute-Based Encryption:
a) System Initialization
b) Key Generation and Distribution by KDCs
c) Encryption by Sender
d) Decryption by Receiver

Encrypt(params; f ;A; {PKa|a E A})(CT): A user

takes a file f, a DNF access control policy A, and public
keys of all attributes in A, as inputs, and outputs a
ciphertext CT.
Decrypt(params,CT,SKi,u,{SKi,u,a|aECCj}
(f):A

Attribute-Based Signature Scheme:

a) System Initialization
b) User Registration

user,whose attributes satisfy the j-th conjunctive clause

CCj, takes params, the ciphertext, the user identity secret
key, and the user attribute secret keys on all attributes in
CCj, as inputs, to recover the plaintext.

c) KDC Setup
d) Attribute Generation

IV. PROPOSED PRIVACY PRESERVING

AUTHENTICATED ACCESS CONTROL SCHEME

e) Sign
f) Verify

C.

Hierarchical attribute-based Encryption

This scheme Hierarchical attribute-based encryption
(HABE) consists of a root master (RM) that corresponds to
the third trusted party (TTP),multiple domain masters
(DMs) in which the top-level DMs correspond to multiple
enterprise users, and numerous users that correspond to all
personnel in an enterprise. This scheme used the property
of hierarchical generation of keys in HIBE scheme to
generate keys.

In this section, we propose our privacy preserving

authenticated access control scheme. According to our
scheme a user can create a file and store it securely in the
cloud. This scheme consists of use of the two protocols
ABE and ABS, There are three users, a creator, a reader,
and writer. Creator Alice receives a token _ from the
trustee, who is assumed to be honest. A trustee can be
someone like the federal government who manages social
insurance numbers etc.

96 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

Badhusha S et al

Decentralized Access Control Based Crime Analysis

V.

SECURITY OF THE PROTOCOL

We will explain that our scheme authenticates a user

who wants to write to the cloud. A user should only write
provided the cloud is able to validate it access to the claim.
An invalid user cannot receive the attributes from a KDC,
if it do not have the credentials from the trustee. If a users
credentials are revoked, then it cannot replace data with
previous data, thus preventing replay attacks.
Theorem 1. Our access control scheme is secure, collusion
resistant and allows access only to authorized users.
Theorem 2. Our authentication data is correct, collusion
secure, resistant to the replay of attacks, and protects
privacy of the user.

On presenting her id (like health/social insurance

number), the trustee gives her a token _. There are multiple
KDCs (here 2), which can be scattered. For example, these
can be servers in different parts of the world. A creator on
presenting the token to one or more KDCs receives keys
for encryption/decryption and signing. In the Fig. 1, SKs
are secret keys given for decryption, Kx are keys for
signing. The message MSG is encrypted under the access
policy X. The access policy decides who can access the
data stored in the cloud. The creator decides on a claim
policy Y, to prove her authenticity and signs the message
under this claim. The ciphertext C with signature is c, and
is signature and stores the ciphertext C. When a reader
wants to read, the cloud sends C. If the user has attributes
matching with access policy, it can decrypt and get back
original message. When a reader wants to read some data
stored in the cloud, it tries to decrypt it using the secret
keys it receives from the KDCs. If it has enough attributes
matching with the access policy, then it decrypts the
information stored in the cloud.

Next we confirm that only a valid user with valid

access claim is only able to store the message in the cloud.
A user who wants to create a file and tries to make a wrong
access claim, cannot do so, since it will not have attribute
keys Kx from the related KDCs. Since the message is
encrypted, a user without valid access policy cannot
decrypt and change the information.

A. RSA Algorithm
RSA algorithm is used for securing users
details(contents in PHR). RSA is a public key encryption
algorithm. RSA involves a public key and a private key.
The public key can be known by everyone and is used for
encrypting messages. Messages encrypted with the public
key can only be decrypted in a reasonable amount of time
using the private key. The keys for the RSA algorithm are
generated the following way:
1.

Choose two distinct prime numbers p and q.

For security purposes, the integers p and q should
be chosen at random, and should be of similar bitlength. Prime integers can be efficiently found
using a primality test.

2.

Compute
n
=
pq.
n is used as the modulus for both the public and
private keys. Its length, usually expressed in bits,
is the key length.

3.

Compute (n) = (p)(q) = (p 1) (q 1), where

is Euler's totient function.

4.

Choose an integer e such that 1 < e < (n) and

gcd(e, (n)) = 1; i.e. e and (n) are co
prime.
e is released as the public key exponent and
having a short bit-length and small Hamming
weight results in more efficient encryption most
commonly 216 + 1 = 65,537. However, much
smaller values of e (such as 3) have been shown to
be less secure in some settings.

5.

Determine d as d1 e (mod (n)), i.e., d is the

multiplicative inverse of e (modulo (n)).
This is more clearly stated as solve for d given de
1 (mod (n)). This is often computed using the
extended Euclidean algorithm. d is kept as the
private key exponent.

Data Storage in Clouds

A user Uu have one or more trustees. This is used to
prevent to the replay attacks. In this time data is not sent,
then the user can write previous stale message back to the
cloud with a valuable signature, even when its claim policy
and attributes have been revoked.
Reading from the Cloud:
The user requests data from the cloud, the cloud sends
the ciphertext using SSH protocol. Decryption proceeds
using algorithm ABE.
Writing to the Cloud:
The user must send its message with the claim policy as
done during file creation. The cloud verifies the claim
policy, and only if the user is authentic is allowed to write
on the file.
User Revocation:
It should be ensured that users must not have the ability
to access data, even if they possess matching set of
attributes.

97 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016

Badhusha S et al

Decentralized Access Control Based Crime Analysis

B. Encryption
Alice transmits her public key (n, e) to Bob and keeps
the private key secret. Bob then wishes to send message M
to Alice. He first turns M into an integer m, such that 0 m
< n by using an agreed-upon reversible protocol known as
a padding scheme. He then computes the ciphertext c
corresponding to
. This can be done
quickly using the method exponentiation by squaring. Bob
then transmits c to Alice.

[5]

[6]

[7]

14th Intl Conf. Financial Cryptography and Data Security, pp. 136149, 2010.
H. Li, Y. Dai, L. Tian, and H. Yang, Identity-Based
Authentication for Cloud Computing, Proc. First Intl Conf. Cloud
Computing (CloudCom), pp. 157-166, 2009.
C. Gentry, A Fully Homomorphic Encryption Scheme, PhD
dissertation, Stanford Univ., http://www.crypto.stanford.edu/
craig, 2009.
A.-R. Sadeghi, T. Schneider, and M. Winandy, Token-Based
Cloud Computing, Proc. Third Intl Conf. Trust and Trustworthy
Computing (TRUST), pp. 417-429, 2010.

C. Decryption
Alice can recover m from c by using her private key
exponent
d
via
computing
.Given m, she can recover the original
message M by reversing the padding scheme.

VI.

CONCLUSION

We have presented a decentralized access control

technique with anonymous authentication, which provides
user revocation and prevents replay attacks. The cloud does
not know the identity of the user who stores information,
but only verifies the users credentials. Key distribution is
done in a decentralized way. One limitation is that the
cloud knows the access policy for each record stored in the
cloud. In future, we would like to hide the attributes and
access policy of a user.

ACKNOWLEDGEMENT
We are greatly indebted to God Almighty for being the
guiding light throughout with his abundant grace and
blessing that strengthened us to do this endeavour with
confidence. We express our heartfelt gratitude towards
Prof. Z.A ZOYA, Principal, College of Engineering
Perumon, for extending all the facilities required for doing
our project. We would also like to thank Dr Dheebha J,
Head, Department of Computer Engineering, for providing
constant support and encouragement. Now We extend our
sincere thanks to our project co-ordinator Mrs.Jooby E,
Assistant professor of Computer Science Department and
project guide Dr. Suja Vijayan, Assistant professor of
Information technology Department for guiding our work
and providing timely advices and valuable suggestions.
Last but not the least; we extend our heartfelt gratitude to
our parents and friends for their support and assistance.
REFERENCES
[1]

[2]

[3]

[4]

S.Ruj,M.Stojmenovic, and
A.Nayak,Privacy Preserving Acess
Control with Authentication for Securing Data in Clouds,Proc.
IEEE/ACM Intl Symp. Cluster, Cloud and Grid Computing, pp.
556- 563, 2012.
C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou, Toward Secure
and Dependable Storage Services in Cloud Computing, IEEE
Trans. Services Computing, vol. 5, no. 2, pp. 220-232, Apr.-June
2012.
J. Li, Q. Wang, C. Wang, N. Cao, K. Ren, and W. Lou, Fuzzy
Keyword Search Over Encrypted Data in Cloud Computing, Proc.
IEEE INFOCOM, pp. 441-445, 2010.
S. Kamara and K. Lauter, Cryptographic Cloud Storage, Proc.

98 | International Journal of Computer Systems, ISSN-(2394-1065), Vol. 03, Issue 02, February, 2016