Professional Documents
Culture Documents
DELEGATED ACCESS
CONTROL
IN PUBLIC CLOUDS
ABSTRACT
Current approaches to enforce fine-grained access control on
confidential data hosted in the cloud are based on fine-grained
encryption of the data. Under such approaches, data owners are in
charge of encrypting the data before uploading them on the cloud and
re-encrypting the data whenever user credentials change. Data owners
thus incur high communication and computation costs. A better
approach should delegate the enforcement of fine-grained access control
to the cloud, so to minimize the overhead at the data owners, while
assuring data confidentiality from the cloud. We propose an approach,
based on two layers of encryption that addresses such requirement.
Under our approach, the data owner performs a coarse-grained
encryption, whereas the cloud performs a fine-grained encryption on top
of the owner encrypted data. A challenging issue is how to decompose
access control policies (ACPs) such that the two layer encryption can be
performed. We show that this problem is NP-complete and propose
novel optimization algorithms. We utilize an efficient group key
management scheme that supports expressive ACPs. Our system assures
the confidentiality of the data and preserves the privacy of users from
the cloud while delegating most of the access control enforcement to the
cloud.
LITERATURE SURVEY
Title: Privacy-Preserving Public Auditing for Secure Cloud Storage
Author: Cong Wang , Sherman S.M. Chow, Qian Wang, Kui Ren, Wenjing Lou
Year:2013
Description:
Using Cloud Storage, users can remotely store their data and enjoy the on-demand high
quality applications and services from a shared pool of configurable computing
resources, without the burden of local data storage and maintenance. However, the fact
that users no longer have physical possession of the outsourced data makes the data
integrity protection in Cloud Computing a formidable task, especially for users with
constrained computing resources. Moreover, users should be able to just use the cloud
storage as if it is local, without worrying about the need to verify its integrity. Thus,
enabling public auditability for cloud storage is of critical importance so that users can
resort to a third party auditor (TPA) to check the integrity of outsourced data and be
worry-free. To securely introduce an effective TPA, the auditing process should bring in
no new vulnerabilities towards user data privacy, and introduce no additional online
burden to user. In this paper, we propose a secure cloud storage system supporting
privacy-preserving public auditing. We further extend our result to enable the TPA to
perform audits for multiple users simultaneously and efficiently. Extensive security and
performance analysis show the proposed schemes are provably secure and highly
efficient. Our preliminary experiment conducted on Amazon EC2 instance further
demonstrates the fast performance of the design.
SYSTEM ANALYSIS
EXISTING SYSTEM
In the approaches subdocuments are encrypted with different
keys, which are provided to users at the registration phase. The
encrypted subdocuments are then broadcasted to all users. However,
such approaches require that all or some keys be distributed in advance
during user registration phase. This requirement makes it difficult to
assure forward and backward key secrecy when user groups are
dynamic. Further, the rekey process is not transparent, thus shifting the
burden of acquiring new keys on users. It lays the foundation to make
rekey transparent to users and protect the privacy of the users who
access the content.
PROPOSED SYSTEM
In this system, we propose a new approach to address this
shortcoming. The approach is based on two layers of encryption applied
to each data item uploaded to the cloud. Under this approach, referred to
as two layer encryption (TLE), the data owner performs a coarse grained
encryption over the data in order to assure the confidentiality of the data
from the cloud. Then the cloud performs fine grained encryption over the
encrypted data provided by the data owner based on the ACPs provided
by the data owner. However, the way we perform coarse and fine grained
encryption is novel and provides a better solution than existing solutions
based on two layers of encryption.
SYSTEM REQUIREMENTS
HARDWARE REQUIREMENTS:
System
: Pentium IV 2.4 GHZ
Hard disk
: 40 GB
Mouse
: Logitech.
RAM
: 2GB(minimum)
Keyboard
: 110 keys enhanced.
SOFTWARE REQUIREMENTS:
Operating system
:- Windows7
Front End
:- Microsoft Visual Studio .Net 2010
Coding Language
:- C#
Backend
:- SQL Server 2008
1.
MODULES
2. MODULE DESCRIPTIONS
Identity Provider:
In this Identity module it is responsible for registering the users and
submitting the identity tokens to the users who are registered only.
Data Owner:
In this Data Owner module it is responsible for storing the documents in
the cloud storage services in the encrypted format .whenever the user searches the
data by using identity token. Data owner submits the security key regarding for the
searched document.
Cloud Storage:
In this Cloud storage module it stores the data of the data owner. And
whenever user search for some document if is found and cloud storage re-encrypt
the encrypted document and submits a key to the user.
User:
In this user module it is responsible for registering with his details in
identity protocol and receiving identity tokens from the identity protocol .And then
he searches the relative documents in the data owner and as well as Cloud storage
and receives keys from two modules and then he downloads the relative document
and decrypt with the two keys.
3. Module Diagram
Identity Protocol:
Data Owner:
Cloud Storage :
User Access :
Cloud Storage
SYSTEM DESIGN
Use Case Diagram
A use case diagram is a graph of actors, a set of use cases enclosed by a
system boundary, communication (participation) association between the
actors and the use cases, and generalization among the use cases.
A use case diagram shows the relationship among the actors
(Sender) and use cases within a system.
In our project this diagram indicates the interaction between user and web
search interface. In this diagram shows the process of searching and
retrieve information as quickly, relevant informations. Here users enter the
query that query is process by neighborhood and incremental query
construction method then they form new query. This query is processing
and retrieves accurate data from database.
Class Diagram
A class diagram in the UML is a type of static structure diagram that
describes the structure of a system by showing the systems classes, their
attributes, and the relationships between the classes.
Private visibility hides information from anything outside the class
partition. Public visibility allows all other classes to view the marked
information.
Protected visibility allows child classes to access information they
inherited from a parent class.
In our project this diagram indicates the interaction between user and web
search interface. In this diagram shows the process of searching and
retrieve information as quickly, relevant informations. Here users enter the
query that query is process by neighborhood and incremental query
construction method then they form new query. This query is processing
and retrieves accurate data from database.
Object Diagram
An object diagram in the Unified Modeling Language (UML) is a diagram
that shows a complete or partial view of the structure of a modeled system at
a specific time.
An Object diagram focuses on some particular set of object instances and
attributes, and the links between the instances. A correlated set of object
diagrams provides insight into how an arbitrary view of a system is
expected to evolve over time.
Object diagrams are more concrete than class diagrams, and are often used
to provide examples, or act as test cases for the class diagrams. Only those
aspects of a model that are of current interest need be shown on an object
diagram
In our project this diagram indicates the interaction between user and web
search interface. In this diagram shows the process of searching and retrieve
information as quickly, relevant informations. Here users enter the query
that query is process by neighborhood and incremental query construction
method then they form new query. This query is processing and retrieves
accurate data from database.
State Diagram
A state diagram is a type of diagram used in computer science and related
fields to describe the behavior of systems. State diagrams require that the
system described is composed of a finite number of states; sometimes, this
is indeed the case, while at other times this is a reasonable abstraction.
There are many forms of state diagrams, which differ slightly and have
different semantics
In our project this diagram indicates the interaction between user and web
search interface. In this diagram shows the process of searching and
retrieve information as quickly, relevant informations. Here users enter the
query that query is process by neighborhood and incremental query
construction method then they form new query. This query is processing
and retrieves accurate data from database.
ACTIVITY DIAGRAM:
Activity diagram are a loosely defined diagram to show workflows of
stepwise activities and actions, with support for choice, iteration and
concurrency. UML, activity diagrams can be used to describe the business
and operational step-by-step workflows of components in a system. UML
activity diagrams could potentially model the internal logic of a complex
operation. In many ways UML activity diagrams are the object-oriented
equivalent of flow charts and data flow diagrams (DFDs) from structural
development.
In our project this diagram indicates the interaction between user and
web search interface. In this diagram shows the process of searching and
retrieve information as quickly, relevant informations. Here users enter the
query that query is process by neighborhood and incremental query
construction method then they form new query. This query is processing
and retrieves accurate data from database.
SEQUENCE DIAGRAM:
A sequence diagram in UML is a kind of interaction diagram that
shows how processes operate with one another and in what order.
It is a construct of a message sequence chart. Sequence diagrams are
sometimes called Event-trace diagrams, event scenarios, and timing
diagrams.
UML sequence diagrams model the flow of logic within your system in
a visual manner, enabling you both to document and validate your logic,
and are commonly used for both analysis and design purposes. Sequence
diagrams are the most popular UML artifact for dynamic modeling, which
focuses on identifying the behavior within your system.
In our project this diagram indicates the interaction between user and
web search interface. In this diagram shows the process of searching and
retrieve information as quickly, relevant informations. Here users enter the
query that query is process by neighborhood and incremental query
construction method then they form new query. This query is processing
and retrieves accurate data from database.
COLLABORATION DIAGRAM:
A collaboration diagram show the objects and relationships involved in
an interaction, and the sequence of messages exchanged among the objects
during the interaction.
The collaboration diagram can be a decomposition of a class, class
diagram, or part of a class diagram. It can be the decomposition of a use
case, use case diagram, or part of a use case diagram.
The collaboration diagram shows messages being sent between classes
and object (instances). A diagram is created for each system operation that
relates to the current development cycle (iteration).
In our project this diagram indicates the interaction between user and
web search interface. In this diagram shows the process of searching and
retrieve information as quickly, relevant informations. Here users enter the
query that query is process by neighborhood and incremental query
construction method then they form new query. This query is processing
and retrieves accurate data from database.
COMPONENT DIAGRAM:
Components are wired together by using an assembly connector to
connect the required interface of one component with the provided
interface of another component. This illustrates the service consumer
service provider relationship between the two components. An assembly
connector is a "connector between two components that defines that one
component provides the services that another component requires. An
assembly connector is a connector that is defined from a required interface
or port to a provided interface or port." When using a component diagram
to show the internal structure of a component, the provided and required
interfaces of the encompassing component can delegate to the
corresponding interfaces of the contained components.
In our project this diagram indicates the interaction between user and
web search interface. In this diagram shows the process of searching and
retrieve information as quickly, relevant informations. Here users enter the
query that query is process by neighborhood and incremental query
construction method then they form new query. This query is processing
and retrieves accurate data from database.
LEVEL 0
LEVEL 1
All Levels
E-R DIAGRAM:
In software engineering, an entity-relationship model (ERM) is an
abstract and conceptual representation of data. Entity-relationship
modeling is a database modeling method, used to produce a type
of conceptual schema or semantic data model of a system, often
a relational database, and its requirements in a top-down fashion.
Diagrams
created
by
this
process
are
called entity-relationship
5. IMPLEMENTATION
5.1.User Authentication :
public partial class UserRegistration : System.Web.UI.Page
{
bo bo_obj = new bo();
bal bal_obj = new bal();
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
ViewState["ID"] = bal_obj.BAL_User_ID();
}
}
protected void btn_register_Click(object sender, EventArgs e)
{
if (txt_password.Text == txt_conf_pass.Text)
{try
{
string a = string.Empty;
bo_obj.Username = txt_username.Text;
bo_obj.Empid = txt_empid.Text;
bo_obj.Designation = drop_designation.Text;
bo_obj.Age = Convert.ToInt32(txt_age.Text);
bo_obj.Gender = drop_gender.Text;
bo_obj.Password = txt_password.Text;
bo_obj.Sec_ques = drop_securityques.Text;
bo_obj.Sec_ans = txt_answer.Text;
bo_obj.Mobile = Convert.ToDouble(txt_mobile.Text);
bo_obj.Idprovider=ViewState["ID"].ToString();
bal_obj.user_reg(bo_obj);
a= ViewState["ID"].ToString();
Response.Write("<script>alert('Your Registration id is : "+a+" ')</script>");
txt_age.Text = "";
txt_answer.Text = "";
txt_empid.Text = "";
txt_mobile.Text = "";
txt_username.Text = "";
drop_designation.Text = "";
drop_gender.Text = "";
drop_securityques.Text = "";
}
catch (Exception)
{
throw;
}
}
else
{
Response.Write("<script>alert('Registration failed! password mismatch')</script>");
}
}
5.2.User Login :
public partial class UserLogin : System.Web.UI.Page
{
bal bal_log= new bal();
bo bo_log = new bo();
protected void Page_Load(object sender, EventArgs e)
{
MsgLbl.Visible = false;
}
protected void btn_login_Click(object sender, EventArgs e)
{
MsgLbl.Visible = true;
string des;
try
{
Session["name"] = txt_usrlogin.Text;
bo_log.Username = txt_usrlogin.Text;
bo_log.Password = txt_usrpass.Text;
des = bal_log.login(bo_log);
if (des == "Doctor" || des == "Senior Doctor")
{
Response.Redirect("Doctor.aspx");
}
else if (des == "Nurse" || des == "Senior Nurse")
{
Response.Redirect("Nurse.aspx");
}
else if (des.Equals("Receptionist"))
{
Response.Redirect("Receptionist.aspx");
}
else
{
MsgLbl.Text = "Invalid user ID or Password";
}
}
catch (Exception)
{
throw;
}
}
}
Data Owner :
5.3.Authentication :
public partial class Admin : System.Web.UI.Page
{
bal balob = new bal();
bo bo_ob = new bo();
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btn_admin_Click(object sender, EventArgs e)
{
Session["admin"] = txt_adm_name.Text;
bo_ob.Username = txt_adm_name.Text;
bo_ob.Password = txt_adm_pass.Text;
balob.adlog(bo_ob);
Response.Redirect("AdminPage.aspx");
}
}
5.4.Key Generate :
public partial class AdminPage : System.Web.UI.Page
{
bal bal_ob = new bal();
bo bo_ob = new bo();
DataSet ds = new DataSet();
dal dal_ob = new dal();
protected void Page_Load(object sender, EventArgs e)
{
lb_username.Text = Session["admin"].ToString();
if (!IsPostBack)
{
bind();
}
}
public void bind()
{
ds = bal_ob.ad_grid(bo_ob);
gv_userdet.DataSource = ds;
gv_userdet.DataBind();
}
5.5.Encrypt Data :
public partial class FileEncrypt : System.Web.UI.Page
{
EncryptionService es = new EncryptionService();
protected void Page_Load(object sender, EventArgs e)
{
// lb_usrrequest.Visible = false;
lb_encrypt.Visible = false;
}
protected void btn_encrypt_Click(object sender, EventArgs e)
{
lb_encrypt.Visible = true;
try
{
string FileName = Path.GetFileName(file_upld.FileName);
Session["FileName"] = FileName;
string FileExtension = Path.GetExtension(FileName);
if (FileExtension == ".docx" || FileExtension == ".doc" || FileExtension == ".txt" ||
FileExtension == ".pdf" || FileExtension == ".jpg")
{
if (!System.IO.Directory.Exists(Server.MapPath("~/Temp/" + Session["admin"])))
System.IO.Directory.CreateDirectory(Server.MapPath("~/Temp/" + Session["admin"]));
file_upld.SaveAs(Server.MapPath("~/Temp/" + Session["admin"] + "/" + FileName));
}
else
{
ClientScript.RegisterStartupScript(Page.GetType(), "validation",
<script language='javascript'>alert('file format not supported')</script>");}
Cloud Encryption :
5.6.Key Generation and Encryption in Cloud :
public partial class CloudEncrypt : System.Web.UI.Page
{
bal bal_ob=new bal();
bo bo_ob=new bo();
ReEncryption re = new ReEncryption();
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btn_keygen_Click(object sender, EventArgs e)
{
bool a;
try
{
Secondkeygen obj_RSAKey = new Secondkeygen();
obj_RSAKey.skeygen(Convert.ToInt32(DropDownList1.SelectedValue));
bo_ob.Pkkey=obj_RSAKey.Privatekey;
bo_ob.Pbkey=obj_RSAKey.Publickey;
a = bal_ob.keygen(bo_ob);
writeKeys(obj_RSAKey.Publickey, Session["admin"].ToString() + ".cpk",
Server.MapPath("~/Cloud Keys/"));
writeKeys(obj_RSAKey.Privatekey, Session["admin"].ToString() + ".csk",
Server.MapPath("~/Cloud Keys/"));
}
catch (Exception)
{
throw;}}
User Access :
5.7 Requesting Key :
protected void btn_send_Click(object sender, EventArgs e)
{
Session["request"] = txt_doc_request.Text.ToString();
ClientScript.RegisterStartupScript(Page.GetType(), "validation", "<script
language='javascript'>alert('Request Sucessfully Send to Owner...')</script>");
}
protected void btn_download_record_Click(object sender, EventArgs e)
{
Response.Redirect("UserDownloadKey.aspx");
}
5.8 Key From Data Owner :
protected void Page_Load(object sender, EventArgs e)
{
lnk_cloud.Visible = false;
lb_usrreq.Text = " ";
if (Session["request"]== null)
{ Response.Write("<script>alert('There are no request from user ')</script>");
Response.Redirect("CloudEncrypt.aspx");
}
else
{
lb_usrreq.Text = Session["name"].ToString() + " : " + Session["request"].ToString();
}
// lb_usrreq.Text = Session["request"].ToString();
lb_key_send.Visible = false;
// string s = Path.GetFileName(upld_key.PostedFile.FileName);
}
Clouds Key :
protected void btn_cld_key_Click(object sender, EventArgs e)
{
if (Session["cldkeyname"] != null)
{
string a = Session["cldkeyname"].ToString();
// string filename = Session["admin"].ToString() + ".sk";
string filename = a;
string absolutePath = Server.MapPath("~/UsersKey/" + Session["name"] + "/" + filename);
//~/UsersKey/UserCldKey" + "/" + Session["name"] + "/" + filename
Response.ContentType = "text/plain";
Response.AddHeader("Content-Disposition", "attachment;filename=" + filename);
Response.TransmitFile(absolutePath);
Response.End();
}
else
{
Response.Write("<script>alert('Send a Request to DataOwner to download key')</script>");
Response.Redirect("DoctorEntries.aspx");
}
}
Home Page :
User Registration :
Admin Login
User Profile :
Admin Login :
Validating Registration ID :
9.FUTURE ENHANCEMENT
We plan to investigate the alternative choices for the TLE approach
further. We also plan to further reduce the computational cost by exploiting partial
relationships among ACPs.
Advantages
It provides a better way to handle data updates, and user dynamics changes.
To support expressive access control policies.
When user dynamics changes, only the outer layer of the encryption needs to be
updated.
Outer layer encryption is performed at the cloud, no data transmission is required
between the data owner and the cloud.
Applications:
In big organizations (Amazon,IBM) are maintaining the clouds to store the
data.To provide privacy we can implement.
Conclusion:
In this paper, we proposed a two layer encryption based approach to solve this
problem by delegating as much of the access control enforcement
responsibilities as possible to the Cloud while minimizing the information
exposure risks due to colluding Usrs and Cloud. A key problem in this regard is
how to decompose acps so that the Owner has to handle a minimum number of
attribute conditions while hiding the content from the Cloud. We showed that the
policy decomposition problem is NP-Complete and provided approximation
algorithms. Based on the decomposed acps, we proposed a novel approach to
privacy preserving finegrained delegated access control to data in public clouds.
Our approach is based on a privacy preserving attribute based key management
scheme that protects the privacy of users while enforcing attribute based acps.
As the experimental results show, decomposing The acps and utilizing the two
layer of encryption reduce the overhead at the Owner.
CHAPTER 10
10.1 CONCLUSION
In this paper, we proposed a two layer encryption based approach to solve
this problem by delegating as much of the access control enforcement
responsibilities as possible to the Cloud while minimizing the information
exposure risks due to colluding Usrs and Cloud. A key problem in this regard is
how to decompose acps so that the Owner has to handle a minimum number of
attribute conditions while hiding the content from the Cloud. We showed that the
policy decomposition problem is NP-Complete and provided approximation
algorithms. Based on the decomposed acps, we proposed a novel approach to
privacy preserving finegrained delegated access control to data in public clouds.
Our approach is based on a privacy preserving attribute based key management
scheme that protects the privacy of users while enforcing attribute based acps. As
the experimental results show, decomposing The acps and utilizing the two layer
of encryption reduce the overhead at the Owner.
REFERENCES OR BIBLIOGRAPHY
[1] M. Nabeel and E. Bertino, Privacy preserving delegated access control in
the storage as a service model, in EEE International Conference on
Information Reuse and Integration (IRI), 2012.
[2] E. Bertino and E. Ferrari, Secure and selective dissemination of XML
documents, ACM Trans. Inf. Syst. Secur., vol. 5, no. 3, pp. 290331, 2002.
[3] G. Miklau and D. Suciu, Controlling access to published data using
cryptography, in VLDB 2003: Proceedings of the 29th international
conference on Very large data bases. VLDB Endowment, 2003, pp. 898909.
[4] N. Shang, M. Nabeel, F. Paci, and E. Bertino, A privacypreserving
approach to policy-based content dissemination, in ICDE 10: Proceedings of
the 2010 IEEE 26th International Conference on Data Engineering, 2010.
[5] M. Nabeel, E. Bertino, M. Kantarcioglu, and B. M.
Thuraisingham,Towards privacy preserving access control in the cloud, in
Proceedings of the 7th International Conference on Collaborative Computing:
Networking, Applications and Worksharing, ser. CollaborateCom 11, 2011,
pp. 172180.
[6] M. Nabeel, N. Shang, and E. Bertino, Privacy preserving policy based
content sharing in public clouds, IEEE Transactions on Knowledge and Data
Engineering, 2012.