e-ISSN (O): 2348-4470

Scientific Journal of Impact Factor (SJIF): 4.72

p-ISSN (P): 2348-6406

International Journal of Advance Engineering and Research

Development
Volume 4, Issue 2, February -2017

A Survey on Data Access Control for Multiauthority Cloud Storage Systems

Akhil Eapen John1, Rohan Siby2, Soumya Sara Koshy3

1
B.Tech Student, Department of Computer Science and Engineering, MBCCET, Peermade, Kerala, India
2
B.Tech Student, Department of Computer Science and Engineering, MBCCET, Peermade, Kerala, India
3
Assistant Professor, Department of Computer Science and Engineering, MBCCET, Peermade, Kerala, India

Abstract Data Access Control Scheme as we know is the most primitive way for security in cloud computing. Adding
Cipher text Attribute-based Encryption (CP-ABE) has developed the security so much that its users cannot obtain
without satisfying the policy. But still any person satisfying the policy could get data considering that person as a valid
user. Even the previous user who has been eliminated from the network could access data. Hence user revocation was
made possible. So it is discussed about comparison for DACMACS, EDACMACS and NEDACMACS respectively. Survey
shows that NEDACMACS is better in case of multiauthority implementation

Keywords- Access control, multiauthority, CP-ABE, Attribute revocation.

I. INTRODUCTION

Cloud computing extends the existing capabilities of Information Technology (IT) since cloud adaptively provides
storage and processing services such as SaaS, IA as, and Papas that dynamically increase the capacity and add
capabilities without investing in new infrastructure or licensing new software. However, the data access control (DAC)
issue of cloud computing systems has been escalated by the surge in attacks such as collusion, wiretapping and distort, so
that DAC must be designed with sufficient resistance. DAC issues are mainly related to the security policies provided to
the users accessing the uploaded data, and the techniques of DAC must specify their own defined security access policies
and the further support of policy updates, based on which each valid user can have access to some particular sets of data
whereas invalid users are unauthorized to access the data. One approach to alleviate attacks is to store the outsourcing
data in encrypted form. However, due to the normally semi trusted cloud and its arrangement issues of administration
rights, cloud-based access control approaches with traditional encryption are no longer applicable to cloud storage
systems . Sanai and Waters laid a theoretical foundation for solving above encryption problem by introducing the new
concept of attribute-based encryption (ABE) whose prototype is the identity-based encryption (IBE). The ABE notion
has been the promising cryptographic approach on which more intensive research is based. V. Goya et al. first proposed
the key-policy attribute based encryption for fine-grained access control (KP-ABE). In KP-ABE, the data was encrypted
by attribute set, and decryption was possible only when the users policy tree matched the attribute set in the cipher text.
Shortly after KP-ABE, J. Bettencourt introduced the mechanism of cipher text policy attribute-based encryption (CP-
ABE), in which the user received attributes and secret keys from the attribute authority and was able to decrypt cipher
text only if it held sufficient attributes that satisfied the access policy embedded in the cipher text. Furthermore, the
constructed CP-ABE scheme is deemed as one of the most appropriate techniques for data access control in cloud storage
systems, since it can be configured to some DAC schemes which do not require the data owners to distribute keys and
furnish the data owners with more efficient and attribute-level control on defined access policies offline. A myriad of
data access control techniques based on CP-ABE are proposed to construct the efficient, secure, fine-grained and
attribute-level-revocable access schemes in a semi-trusted cloud storage system. However, based on the Dole-Yao model,
security goals such as active attack resistance, data confidentiality, anti-collusion, and attribute-revocation security of
most solution designs cannot be all perfectly guaranteed since the capable Dole-Yao adversaries can overhear, intercept,
replay, and synthesis arbitrary information in the open communication channels. For example, in context of attribute
revocation in the scenario of Yang etc.
II. CP-ABE

In ciphertext policy attribute-based encryption (CP-ABE), every secret key is associated with a set of attributes, and
every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the users
attribute set satisfies the ciphertext access structure. In cipher text policy attribute-based encryption (CP-ABE), every

@IJAERD-2017, All rights Reserved 327

 International Journal of Advance Engineering and Research Development (IJAERD)
Volume 4, Issue 2, February -2017, e-ISSN: 2348 - 4470, print-ISSN: 2348-6406

secret key is associated with a set of attributes, and every cipher text is associated with an access structure on attributes.
Decryption is enabled if and only if the users attribute set satisfies the cipher text access structure. This provides fine-
grained access control on shared data in many practical settings, including secure databases and secure multicasting
traditional way, the communication model was one-to-one i.e. one attribute can communicate with only one application.
But in many application there are one-to-many communication among all applications. This make multicasting
impossible.To solve this we come with policy known as Cipher text policy .This include four phases Setup-Consider a set
of attributes N {1n}.Select a set of group in bilinear order. Arrange them and extract random elements. Encrypt-The
select data is encrypted with another data.A key is generated for encrypted data and sent from a device. Decrypt-Cross
check decryption key in device with encryption key and policy. If it matches grant access to data. The next approach is
selective data sharing. For example if Principal wants to give some amount of data to lab assistant he select some
attributes common to all lab assistants and that distinguishes from other staff .A tree is formed and selects data under root
node lab assistant.Multicasting is more effectively done.Database is secured from outside interference.Segregation of
data is done as tree so we could identify entities easily.

III. DAC-MACS

Data access control for multiauthority cloud storage systems (DAC-MACS) is a beneficial way to ensure data security of
the cloud storage system. The two main challenging issues of the current cloud storage systems are data outsourcing and
untrusted cloud servers. Attribute based encryption (ABE) determines decryption ability based on a users attributes. In a
multi-authority ABE scheme, multiple attribute-authorities monitor different sets of attributes and issue corresponding
decryption keys to users, and encryptions can require that a user obtain keys for appropriate attributes from each
authority before decrypting a message. Chase gave a multi-authority ABE scheme using the concepts of a trusted central
authority(CA) and global identifiers (GID). However, the CA in that construction has the power to decrypt every cipher
text, which seems somehow contradictory to the original goal of distributing control over many potentially untrusted
authorities. Moreover, in that construction, the use of a consistent GID allowed the authorities to combine their
information to build a full profile with all of a users attributes, which unnecessarily compromises the privacy of the user.

3.1 Advantages

Access control for data

Multiple authorities for security

3.2 Disadvantages

Vulnerable to collision
Computation cost high
Storage overhead

IV. EDAC-MACS

Data access control is an effective way to ensure the data security in the cloud. However, due to data outsourcing and
untrusted cloud servers, the data access control becomes challenging issue in cloud storage systems. Existing access
control schemes are no longer applicable to cloud storage systems, because they either produce multiple encrypted copies
of the same Data or require a fully trusted cloud server. Cipher Text-Policy Attribute-based Encryption (CP-ABE) is a
promising technique for access control of encrypted data. Data access control is an effective way to ensure the data
security in the cloud. However due to some data outsourcing the cloud server cannot be fully trusted to provide data
access to control server. This means that to discard all cloud storage system. When more men enter the network, the key
management become more complex i.e. data owner must give key value for each different user. This lead to storage
overhead. To solve this problem, we used an approach called CP-ABE (Cipher Text Policy Attribute Encryption). The
owner defines access policies and encrypt data under this policy. So, key value could be given to people who follow it.
For Example, in an E-health System medical data is shared from doctor to authorised medical researcher. Revocation
efficiency: data in cloud storage may change. Two requirement in attribute are:

@IJAERD-2017, All rights Reserved 328

 International Journal of Advance Engineering and Research Development (IJAERD)
Volume 4, Issue 2, February -2017, e-ISSN: 2348 - 4470, print-ISSN: 2348-6406

1. Backward Security- The revoked user (the person who is no longer in organization) cannot decrypt the new cipher text.
2. Forward security- A novice have sufficient attribute to decrypt cipher text. DACMACS algorithm is used for providing
security to cipher text. This has data revocation capability. To implement frame work of DACMACS there are five
phases. Phase 1: A certified Authority page for granting the key is setup. One user then registers as certified authority.
He then registers another user as an attribute authority. Then automatically a page with some delegations for Attribute
authority is given. Phase 2: A secret key is generated by using an algorithm. The algorithm takes Secret Authority key,
System parameters, attributes, Attributes keys and a Certificate as input. Phase 3: An encryption key is generated by
using an encryption algorithm. The encryption algorithm takes as inputs the system parameter, a set of public keys from
the involved attribute authority set, a set of public attribute the data and an access structure A over all the selected AA.
The algorithm first encrypts the data by using symmetric encryption methods with a content key say k. Then, it encrypts
the content key k under the access structure A and outputs a ciphertext CT. It is assumed that the cipher text implicitly
contains the access structure A. Phase 4: This phase corresponds to decryption. First a token key is generated by taking
cipher text containing access structure A ,users global public key and a set of keys as input .If key satisfies the ciphertext
policy the only algorithm works. Then it decrypts by key followed by data. Phase 5: Attribute revocation is done in this
phase. First it generate an update key. Then to it add the secret key of current user to generate a Secret update key. It is
then converted into another Cipher Text.

4.1 Advantages

Updation and deletion of cipher text is possible

Data separation is done in an amazing way
Storage overhead is removed

4.2 Disadvantages

Multicasting is not possible

Privacy is reduced
Security is not compromised
There is a central authority that do not consider revocation problem much so revoked user may access data.
High chances malicious users or virus to occur.
High computational overhead

V. NEDAC-MACS

A new extensive DAC-MACS scheme (NEDACMACS) is proposed to withstand above two attacks so as to support
more secure attribute revocation. Two attacks are firstly constructed on the vulnerabilities of revocation security in
DACMACS and EDAC-MACS. By the first attack, the revoked user can eavesdrop to obtain other users Key Update
Keys to update its Secret Keys, and then it can obtain proper Token to decrypt any secret information as a non-revoked
user as before. The revoked user can intercept Cipher text Update Key to retrieve its ability to decrypt any secret
information as a nonrevoked user. Secondly, a new extensive DACMACS scheme, denoted as the NEDAC-MACS, to
withstand above two attacks and support more secure attribute revocation. Modify some DACMACSs algorithms, and
perform the vital cipher text update communication between cloud server and AAs with some more secure algorithms.
NEDAC-MACS scheme mainly includes two improvements on the DAC-MACS at Secret Key Generation phase and
Attribute Revocation phase, and it can run correctly according to the correctness proof of NEDAC-MACS. Two attacks
on DAC-MACS and EDAC-MACS for their backward revocation security. Then, a new effective data access control
scheme for multiauthority cloud storage systems (NEDAC-MACS) is proposed to withstand the two vulnerabilities.
NEDACMACS can withstand the two vulnerabilities even though the nonrevoked users reveal their received key update
keys to the revoked user. In NEDAC-MACS, the revoked user has no chance to decrypt any objective cyphertext even if
it actively eavesdrops to obtain an arbitrary number of nonrevoked users Key Update Keys. Formal cryptanalysis of the
NEDAC-MACS is described to prove that the proposed NEDAC-MACS can guarantee collusion resistance, secure
attribute revocation, data confidentiality, and provable security against static corruption of au-thorities based on the
random oracle model. A task is provided that checks the security before giving key to the user. Hence data outsourcing is
done.

@IJAERD-2017, All rights Reserved 329

 International Journal of Advance Engineering and Research Development (IJAERD)
Volume 4, Issue 2, February -2017, e-ISSN: 2348 - 4470, print-ISSN: 2348-6406

Performance analysis of our NEDAC-MACS are conducted by making an efficiency comparison among related
CP-ABE schemes to testify that the NEDAC-MACS is security-enhanced without reducing much efficiency. The major
overhead of decryption is also securely out-sourced to the cloud servers, and the overall over-heads of storage,
communication and computation of the NEDAC-MACS are superior to that of DACC and relatively same as that of
DAC-MACS. Due to the open and non-secure communication channel in context of attribute revocation, the revoked
user, as a Dolev-Yao attacker, can still breach the backward revocation security both in DAC-MACS and EDAC-MACS
when it eavesdrops to obtain more than two users Key Update Keys to update its Secret Key, or when it intercepts the
Ciphertext Update Key. Therefore, we modify the vulnerable algorithms on the EDAC-MACS schemes at Secret Key
Generation phase and Attribute Revocation phase, so that the vital cipher-text update communications between cloud
servers and AAs are performed with security-enhanced algorithms in our NEDAC-MACS scheme, which can ensure the
real security goals on the open and non-secure communication

5.1 Advantages

NEDACMACS can guarantee collusion resistance

Secure attribute revocation
Sata confidentiality and secure communication channel
Provable security against static corruption of authorities based on the random oracle model
Two attacks on mona are easily compromised
Performance is high compared to previous models

5.2 Disadvantages

Computation overhead is high

Attribute authority cannot give permission to access data for a small amount of time
More space for storing all details which may be unbearable

VI. COMPARISON

No Parameters DAC-MACS EDAC- NEDAC-MACS

MACS
1 Collusion Not possible, Not possible, Possible
Resistance vulnerable to vulnerable to
collusion collusion.
2 Revocation Only forward Both Both revocation
revocation possible
possible
3 Confidentiality User data is Cloud and Cloud and user
kept user data is data is kept
confidential confidential confidential

4 Storage Much higher| High Less

overhead
5 Communicatio Ciphertext Ciphertext Ciphertext
n update: update: update:
overhead || || 3||

VII. CONCLUSION

This survey concludes that the new NEDACMACS scheme is more efficient and powerful than DACMACS .It also
reduced the storage overhead which makes it considerably better than EDACMACS. But communication overhead had
increased which has been referenced for future work. Hence we conclude that system is made more complex hence
increases security.

@IJAERD-2017, All rights Reserved 330

 International Journal of Advance Engineering and Research Development (IJAERD)
Volume 4, Issue 2, February -2017, e-ISSN: 2348 - 4470, print-ISSN: 2348-6406

REFERENCES

[1] S.Yu, C.Wang, K.Ren, and W.Lou, Attribute Based Data Sharing with Attribute Revocation, in Proc. 5th ACM
Symp. Information, Computer and Comm. Security (ASIACCS10), 2010, pp. 261-270.
[2] J. Hur and D.K. Noh, Attribute-Based Access Control with Efficient Revocation in Data Outsourcing Systems,
IEEE Trans. Parallel Distributed Systems, vol. 22, no. 7, pp. 1214-1221, July 2011.
[3] S.Jahid, P.Mittal, and N.Borisov, Easier: Encryption-Based Access Control in Social Networks with Efficient
Revocation in Proc. 6th ACM Symp. Information, Computer and Comm. Security (ASIACCS11), 2011, pp. 411-
415.
[4] M. Li, S. Yu, Y. Zheng, K. Ren, and W.Lou, Scalable and Secure Sharing of Personal Health Records in Cloud
Computing Using Attribute-Based Encryption, IEEE Trans. Parallel Distributed Systems, vol. no. 1, pp. 131-143,
Jan. 2013. 24,
[5] Kan Yang, and Xiaohua Jia, Expressive, Efficient, and Revocable Data Access Control for Multi-Authority Cloud
Storage, IEEE transactions on parallel and distributed systems, vol. 25, no. 7, july 2014.
[6] Tejaswini R M1, Roopa C K2, Ayesha Taranum Securing Cloud Server & Data Access with Multi-Authorities
International Journal of Computer Science and Information Technology Research ISSN 2348-120X Vol. 2, Issue
2, pp: (297-302), Month: April-June 2014
[7] Mr SanthoshkumarB.J, M.Tech, Amrita Vishwa Vidyapeetham, Mysore Campus, India Attribute Based
Encryption with Verifiable Outsourced Decryption. In International Journal of Advanced Research in
Computer Science and Software Engineering Volume 4, Issue 6, June 2014, ISSN: 2277 128X.

@IJAERD-2017, All rights Reserved 331